Skip to main content

Configuring Cloud Threat Intelligence on OPNsense

Cloud Threat Intelligence tab provides you with the ability to manage the cloud threat intelligence servers for querying real time information about threat intelligence and web categorization.

The following options are available on this page:

  • Enabling/Disabling the Cloud Reputation & Web Categorization

  • Clearing the Cache

  • Excluding the Local Domains

  • Selecting Cloud Reputation Servers

You may configure the Zenarmor Cloud Threat Intelligence options by navigating to ZenarmorSettingsCloud Threat Intelligence on OPNsense web GUI.

Configuration - Cloud Threat Intelligence

Figure 1. OPNsense - Configuring Cloud Reputation & Web Categorization

Enabling Cloud Reputation & Web Categorization​

By default, Cloud Reputation & Web Categorization option is enabled.

To disable updates from cloud threat intelligence servers:

  1. Click Enabled button upper right corner of the page. This will display a warning message.

Confirming and Disabling Cloud Reputation & Web Categorization

Figure 2. Confirming and Disabling Cloud Reputation & Web Categorization

  1. Click Confirm and Disable to disable the Cloud Reputation & Web Categorization.
warning

It is not recommended to disable this feature for effective application and web filtering.

A substantial percentage of Zenarmor's security features and web categorization capabilities are provided by Cloud Threat Intelligence System.

This might negatively impact your filtering success rates and security posture if disabled.

If you disabled Cloud Reputation & Web Categorization option and need to re-enable it, you can quickly enable this feature by clicking on the Disabled button upper right corner of the page. This will automatically activate Cloud Threat Intelligence System.

Excluding Local Domain From CTI

You can configure your local domain names to be excluded from being queried on Cloud Server. This might be handy if you see that your local domain is being categorized as Firstly Seen Sites.

tip

Domains entered here will match all subdomains and FQDNs. For instance: example.com will also cover sub.example.com and host.sub.example.com. You don`t need to add each subdomain separately.

If you want to exclude your domain from cloud threat intelligence queries, you may follow the steps given below:

  1. Click Exclude Local Domain button. This will open a dialog box.
  2. Enter the local domain, such as mycompany.io, to exclude from cloud queries into the Local Domain field.
  3. Click Submit to activate the settings. This will add the domain to the excluded domains list (cloud threat intelligence exclusion list) on the page.

Excluding Local Domain From Cloud Queries

Figure 3. Excluding Local Domain From Cloud Queries

Editing a Domain in CTI Exclusion List

Zenarmor allows you to edit the excluded local domains. You can easily edit a local domain excluded from cloud threat intelligence queries by following the steps:

  1. Click on the Actions button with ... (3 dot) icon next to the domain you wish to edit. This will open a drop-down menu.
  2. Click on the Edit menu. This will open a dialog box to allow you to edit the domain.
  3. Make the required changes on the domain name and click the Submit button to save the changes.

Editing Excluded Local Domain From Cloud Queries

Figure 4. Editing/Removing Local Domain From Cloud Queries

Removing a Domain From CTI Exclusion List

Zenarmor allows you to remove domains from the cloud threat intelligence exclusion list. You can easily remove a local domain from the excluded list and start cloud threat intelligence queries for this domain by following the steps:

  1. Click on the Actions button with ... (3 dot) icon next to the domain you wish to remove from the cloud threat intelligence exclusion list. This will open a drop-down menu.
  2. Click on the Remove menu. This will open a dialog box for confirmation.
  3. Click the Submit button to remove the domain.

Selecting Cloud Reputation Servers

Cloud Reputation servers will be automatically selected by the engine according to their network response times. Two cloud servers with the best response times will be automatically selected and configured. You can also set them up manually. To set up another server you may follow the next steps:

  1. Click the toggle button under the Status column so that the existing cloud server with a bad response time is set to Passive.
  2. Click the toggle button under the Status column to select the new server.
  3. Click Save to activate new settings.

Selecting Cloud Reputation Servers

Figure 4: Selecting Cloud Reputation Servers

note

Two servers must be configured as Cloud Reputation Server.

You can check the status of the Cloud Reputation Servers by clicking the Re-Check Nodes Status button at the end of the page.

Clearing Cache

Zenarmor caches the query results for better performance and periodically checks for updates on the cached items. Zenarmor allows you to delete all cached categorization information.

To remove locally cached cloud threat intelligence data, click on the Clear Cache button at the bottom of the pane. This will automatically delete cache files on your firewall.

Clearing Cache

Figure 5: Clearing Cache

tip

Clearing the cache might come in handy if you want some particular categorization change to get applied immediately.