Welcome to the Zenarmor User Guide
Zenarmor SASE Anywhere Architecture™ — Security That Runs Where You Do
Zenarmor extends OPNsense by bringing modern, application-aware security capabilities to open-source firewall environments.
While OPNsense provides a powerful and flexible firewall platform, Zenarmor enhances it with deep traffic inspection, application visibility, and advanced threat protection, enabling organizations to secure their networks beyond traditional Layer-4 controls.
What Is Zenarmor?
Zenarmor is a software-defined, hardware-agnostic network security platform designed for today's distributed, hybrid, and constantly changing business environments. It provides an entire Secure Access Service Edge (SASE) stack in a single, portable, lightweight software engine that can be installed in minutes rather than months on any gateway, cloud instance, or endpoint device.
Zenarmor enforces security at the source, directly on the device, at the network edge, or in the cloud, wherever your users and workloads are truly located, in contrast to typical security solutions that push your traffic through remote vendor-controlled infrastructure.
In one sentence: Zenarmor is the first single-app, single-stack SASE platform in the industry that natively enforces Zero Trust at the endpoint, edge, and cloud, with no PoPs, no proprietary hardware, and no complexity.
The Problem With the Way Security Has Been Done
Today’s networks no longer follow a fixed perimeter. Users connect from home offices, branch locations, client sites, and public networks, while applications are distributed across cloud platforms such as AWS and Azure, SaaS environments, and private data centers. As a result, the traditional concept of a single security boundary has effectively disappeared.
However, many legacy security solutions, including traditional Next-Generation Firewalls (NGFW), VPNs, and even some modern SASE offerings, are built around a centralized inspection model. In these architectures, network traffic must be routed through vendor-managed Points of Presence (PoPs) or centralized inspection points before reaching its destination.
This architectural approach introduces several real-world challenges.
Regarding contemporary SASE solutions, this could mean:
- Added latency: Traffic is redirected through remote PoPs, negatively impacting performance and user experience
- PoP outages: When a vendor's data center or PoP goes down, users are forced to connect to a more distant node or, worse, bypass security entirely.
- Shared infrastructure risks: PoPs are shared among multiple enterprise tenants, including gateway IP addresses. One bad actor on shared infrastructure can compromise the reputation of your traffic.
- No control over exit geography: Your traffic may be routed through regions with unfavorable privacy laws or regulatory environments.
- Data sovereignty concerns: TLS inspection and traffic analysis happen inside the vendor's cloud, meaning your data leaves your boundaries.
- Patchwork integrations: Many cloud-only SASE vendors assembled their platforms through rushed acquisitions, resulting in disconnected dashboards, interoperability issues, steep learning curves, and deployments that drag on for months.
- Bandwidth throttling and overage charges: Some cloud-only SASE solutions cap bandwidth or charge unpredictable overage fees based on usage.
A similar issue occurs with traditional VPNs forwarding traffic to a central firewall for inspection; it can cause:
- Additional Latency - the farther the user is from the VPN concentrator, the more the user experience suffers, often causing them to bypass the VPN entirely.
- VPN Concentrator Overload - VPNs are often configured for occasional or limited use. However, with the increasing need for remote work, businesses can quickly outgrow traditional VPN services.
- Expensive to Operate and Upgrade - Appliances can become outdated or fail to scale with increased demand, making upgrades and replacements costly.
- Security Issues - While VPN tunnels are generally encrypted, they don't provide significant additional security beyond that. Application policy control and user context are typically only available in ZTNA and SASE solutions.
These challenges are not isolated cases but inherent limitations of centralized security models. As a result, users may attempt to bypass security controls entirely, increasing overall risk exposure.
The Zenarmor Approach: Plug.SASE.Everywhere™
Zenarmor was built from the ground up to solve these problems through a fundamentally different architectural philosophy: Plug.SASE.Everywhere™.
Instead of routing your traffic to a vendor-controlled cloud for inspection, Zenarmor brings the entire SASE enforcement stack directly to where your traffic originates, the endpoint, the network edge, or your cloud environment. Security follows your users. Your data never has to leave your defined boundaries to be protected.
This is not a modified version of a cloud-only architecture. It is a purpose-built, distributed enforcement model.
Zenarmor SASE Anywhere Architecture™
AZenarmor is built on the SASE Anywhere Architecture™, which is based on a Single-App, Single-Stack, Single-Pass design.
Single-App
The entire SASE stack, NGFW, SWG, ZTNA, CASB, DPI, AI-driven threat detection, and analytics, is packaged into a single unified software application. There are no separate agents, no disconnected modules, and no multi-vendor orchestration required.
Single-Stack
All security functions operate within one integrated processing pipeline. There is no chaining of disparate security services, no patchwork integrations, and no fragmented management consoles inherited from rushed acquisitions.
Single-Pass
Packets are inspected once and evaluated against all relevant security controls simultaneously. This delivers comprehensive protection without the performance penalty of sequential, multi-stage inspection pipelines.
Where Zenarmor Runs
Zenarmor is both hardware-agnostic and platform-agnostic, allowing it to run across a wide range of environments without requiring specialized appliances.
| Deployment Surface | Supported Platforms |
|---|---|
| Network Gateways | OPNsense, pfSense, FreeBSD, OpenWRT |
| Linux Servers & Cloud | Ubuntu, Debian, Amazon Linux, AWS, Azure, GCP |
| Endpoints | Windows, macOS, Linux, Android, iOS |
| MDM-Managed Fleets | Microsoft Intune, JAMF |
Zenarmor is the first SASE platform in the industry to deploy the full SASE enforcement stack natively on endpoint devices, with all inspection and control happening locally on the device's network interface. No cloud dependency required for enforcement.
Core Security Capabilities
Zenarmor delivers a complete, integrated SASE and SSE capability set:
- Deep Packet Inspection (DPI): Layer 7 traffic analysis that identifies applications, protocols, and content, not just ports and IP addresses
- AI-Driven Threat Detection: Real-time identification of malware, phishing, command-and-control (C2) traffic, and anomalous behavior.
- Secure Web Gateway (SWG): Web filtering and policy enforcement for internet-bound traffic across all users and locations.
- Zero Trust Network Access (ZTNA): Identity- and context-aware access control that grants users access only to what they need, enforced at the point of access, not at a distant cloud proxy.
- Cloud Access Security Broker (CASB): Visibility and control over SaaS application usage, including shadow IT detection.
- Firewall-as-a-Service (FWaaS): Next-generation firewall capabilities delivered as a software-defined service across all deployment nodes.
- TLS/SSL Inspection: Encrypted traffic inspection performed locally within your network boundaries; your decrypted traffic never touches the vendor's cloud.
- Application Visibility & Control: Granular identification and policy enforcement at the application level, across all traffic flows.
- Security Analytics & Reporting: Centralized visibility into users, devices, applications, and threats across the entire distributed environment.
Zero Trust, Without the Complexity
Zenarmor enforces Zero Trust natively, at the point of access, not at a distant PoP or proxy. Policies are applied based on user identity, device posture, location context, and application type, regardless of whether the user is on-premises, remote, or roaming.
Identity provider (IdP) integration is built in, supporting:
- Microsoft Azure Entra ID
- Google Workspace
- Okta
- Any SAML 2.0-compatible provider
- Zenarmor's built-in authentication for organizations without an existing IdP
This means Zero Trust enforcement is accessible to organizations of every size, not just enterprises with mature identity infrastructure.
Centralized Management: Zenconsole
All Zenarmor deployments, regardless of scale, geography, or deployment surface, are managed through Zenconsole, a cloud-based, multi-tenant management platform.
Figure 1. Zenconsole Cloud Portal
Zenconsole provides:
- Centralized policy management across all gateways and endpoints
- Multi-node monitoring with real-time visibility
- User, device, and application-level traffic analytics
- Security reporting and compliance dashboards
- Global Deployment UI for provisioning new nodes via a simple one-time installation script
Why Zenarmor Is Different: Head-to-Head
| Capability | Traditional Cloud-Only SASE | Zenarmor Plug.SASE.Everywhere™ |
|---|---|---|
| Traffic Inspection Location | Vendor PoP (cloud) | Local - endpoint, edge, or your cloud |
| Latency Impact | 20–300ms added via PoP backhaul | < 2ms - inspection at source |
| Data Sovereignty | Data processed in vendor cloud | Data stays within your boundaries |
| TLS Inspection | Vendor decrypts your traffic | Decryption happens locally |
| Hardware Requirements | Often requires proprietary appliances or agents | Runs on any x86/ARM64 hardware or VM |
| Endpoint Protection | Typically agent-only, cloud-dependent | Full SASE stack runs natively on the endpoint |
| IoT / OT / Legacy Device Support | Limited or unsupported | Fully supported via gateway deployment |
| Deployment Time | Weeks to months | Minutes |
| Bandwidth Costs | Consumption-based overages common | No cloud bandwidth charges |
| PoP Outage Risk | High - users may bypass security | Eliminated - no PoP dependency |
| Management | Often multi-console (patchwork acquisitions) | Single unified console (Zenconsole) |
| Licensing Model | Complex, consumption-based | Simple, predictable subscription |
Deployment Flexibility: On Your Terms
Zenarmor's brownfield-friendly architecture means you do not need to rip and replace your existing infrastructure. It integrates with existing firewalls, SD-WAN, and network infrastructure, and supports incremental adoption:
- Start with remote access: Deploy endpoint protection first.
- Expand to branch offices: Add gateway nodes without new hardware.
- Extend to cloud workloads: Deploy as virtual instances on AWS, Azure, or GCP.
- Mix and match: Combine deployment types to match your specific performance, cost, and compliance requirements.
Available Editions
Zenarmor offers tiered editions to match the needs of any organization:
| Edition | Best For |
|---|---|
| Free Edition | Home users, small environments, evaluation |
| Home Edition | Personal and household networks |
| Business NGFW Edition | SMB and branch network protection |
| SSE Edition | Security Service Edge for distributed teams |
| ZTNA Edition | Zero Trust Network Access for secure resource connectivity |
| SASE Edition | Full-stack SASE for enterprise and mid-market organizations |
Subscriptions are available through the Zenconsole Cloud Portal or through authorized Zenarmor channel partners.
The Bottom Line
The SASE market is projected to exceed $25 billion by 2027 (Gartner), yet the dominant cloud-only delivery model carries structural limitations that create real operational and security risks for organizations every day.
Zenarmor's Plug.SASE.Everywhere™ approach is not an incremental improvement on the cloud-only model; it is a fundamentally different architecture that eliminates the latency, data sovereignty issues, PoP dependency, and complexity problems that cloud-only SASE vendors cannot solve by design.
Security should run where your users and workloads are. With Zenarmor, it does.
Zenarmor is developed by Sunny Valley Cybersecurity, Inc.
Headquarters: Cupertino, CA | EU Office: Frankfurt am Main, Germany
zenarmor.com | [email protected] | +1 (650) 288-4488