Configuring Zenarmor Policies on OPNsense

The Free and Premium Editions of Zenarmor come pre-installed with the Default policy. The configuration of default policies is administered by the Zenarmor engine. A Premium subscription contains the following features that are unavailable in the Free Edition:

• Create new policies

• Enable/disable policies

• Specify the packet direction for protection

• Include/exclude VLANs, IP/Network addresses, users, and groups to be protected

• Time schedule for each policy

• Advanced Security functionality

• Custom Web Control profiles

• Create Cloud Centralized policies

Please refer to plans and pricing for more information on the features available for each category of Zenarmor subscription.

You cannot modify the Default policy configuration, but you can modify the Security rules, Application Control rules, Web Control rules, and Exclusions on the Default policy to meet your needs.

Create New Policy

When you have the Premium Edition, you can create additional policies to defend your network infrastructure in a more customizable manner. After creating a new policy, the configuration and identification of the policy rules must be completed by editing the policy.

To add a new policy, navigate to Zenarmor → Policies on your OPNsense web UI and click on the Create New Policy button at the top right corner of the Policies page.

Figure 1. Policy List View

To add a new policy, you may follow the next steps:

1. Navigate to Zenarmor → Policies on your OPNsense web UI.

2. Click on the Create New Policy button at the top right corner of the Policies page. A dialog box will open to rename the new policy.

3. Enter a name and click the Create button. The new policy will be created automatically. You will see the new policy in the policy list view. It will be disabled by default. You need to configure it in order to enable it.

Figure 2. Creating a new policy

Policy Configuration

After the creation of a new policy, you must complete the configuration of the policy rules. You can edit the configuration of a policy by clicking on the name of the policy in the policy list view. This will display the policy configuration view as shown in the following figure.

Figure 3. Editing Policy

Once the policy configuration has been completed, you will be able to apply the policy to your firewall.

The first step is the policy configuration, where you specify to whom and when a policy is applied.

Important Note

Please be noted that all of the below criteria are matched with the **AND** logical operator. In order for a flow to match your configured policy, all of these criteria need to be matching the flow information. The only exception to this rule are the Devices and MAC addresses, if they are used together they can be used interchangeably. For instance, if you have a policy configuration specifying 10.0.0.0/24 Network, em0 interface, and “Admins” group, all of these should be matching. If a packet is seen belonging to the “Admins” group but on the ixl0 interface, this specific flow will not match this particular policy.

As another example, if you add an IP address, such as 192.168.10.11 and a MAC address, such as 8C:16:45:6C:77:BB to the policy with a name Specific_IPandMAC, then the policy will only match if a device with MAC address 8C:16:45:6C:77:BB is assigned the 192.168.10.11 IP address. When this device connects to the network using a different IP address,Specific_IPandMAC policy is not applied to its network packets.

In other words, if you specify multiple criteria for a policy, the policy is only applied to network packets that meet all of the criteria specified in the policy.

You may configure the following options for a policy:

• Status
• Name
• Time Schedules

You may apply Zenarmor Security, Web and Application control rules on a policy according to the folowing criteria:

• No Internet
• Interfaces
• Packet Direction
• VLAN IDs
• Devices
• IP / Networks
• MAC Addresses
• Users
• Groups

Enable/Disable Policy

By default, a newly created policy is set to disabled, and none of the interfaces is selected for protection. You should complete policy configuration and set policy rules depending on your needs.

You can enable/disable a policy depending on your needs by clicking on the Status toogle bar on the policy configuration page.

Change Policy Name

You can easily change the name of a policy, except Default policy, via Name field on the policy configuration page.

Restrict Internet Access

Zenarmor enables the complete restriction of Internet access for Untrusted devices concealed behind protected interfaces or for all endpoints specified in a policy.

You can accomplish this restriction via No Internet setting on the policy configuration page. There are two options under this setting. By default, these options are disabled.

• Block all internet access: If you wish to restrict all Internet access at specific time intervals, you can enable this option. When it is enabled, it overrides all rules and blocks all connections. In other words, this option blocks all connections in your network regardless of the policy's app/web/security rules.
• Block Untrusted Devices: You can enable this option to activate the Device Access Control feature on your network. It prevents unauthorized devices from connecting to the Internet when enabled. Since all newly detected devices are categorized as Untrusted by default, you must acknowledge and mark them as trusted to allow them to reach the Internet if this option is enabled.

Figure 4. Blocking All or Untrusted Devices

Select Interfaces

You may select one of the available interfaces to be protected by Zenarmor. By default, none of the interfaces are selected.

You may easily select interfaces by clicking on the checkbox next to the interface name in Interfaces pane of the policy configuration page. The selected interfaces get filtered when the Policy is enabled.

note

If you do not select any of the interfaces, policy will be checked for network packets on all interfaces.

Select Packet Direction

The network packet direction in which to apply the rules may be specified for a policy. Packets may be filtered Inbound, Outbound, or both directions.

By default, packets in both Inbound and Outbound directions are filtered. You can easily change packet direction settings by clicking on the toogle bars next to the Inbound and Outbound options on the Packet Direction pane.

VLAN-Based Filtering

You may apply policies to specific VLANs on your network.

tip

For efficient VLAN-based policy configuration, it is advised to select the physical parent interface of VLAN interfaces to be protected.

After adding VLAN-IDs to your policy configuration, all network packets tagged with these VLAN-IDs will be filtered by Zenarmor.

To define a Vlan-based filtering, you may follow the next steps:

1. Click on the + Add VLAN Id button in the VLAN IDs pane.
2. Type the VLAN ID that you want to filter. (Warning: The VLAN ID must be a number between 1 and 4096.)
3. Click on the Add button.

Figure 5. Adding a VLAN to the policy

All added VLANs are listed on VLAN-IDs pane.

Figure 6. Added VLANs List on policy

To remove a VLAN ID from the policy, you may follow the next steps:

1. Click on the Remove with X icon next to the VLAN ID that you want to delete. This will pop up a dialog box for VLAN removal confirmation.
2. Click Remove button to delete the VLAN ID from the policy configuration.

Device-Based Filtering

Zenarmor allows you to define device-based filtering by adding discovered devices or device categories to the policy configuration.

Figure 7. Devices option

To define a device-based filtering by adding a device into the policy configuration, you may follow the next steps:

1. Click on the + Device button in Devices pane. This will pop up a dialog box listing discovered devices on your network

   

   Figure 8. Adding Devices

2. Select all the devices that you want to add by clicking on them. Or you may click on the Add Custom Device button at the top right of the dialog box to add a custom device manually. Type Device ID and Description for the custom device.

   

   Figure 9. Adding Custom Device

3. Click Add button at the bottom of the dialog box.

Device Category-Based Filtering

To add a device category into the policy configuration, you may follow the next steps:

1. Click on the + Device Category button in Devices pane. This will pop up a dialog box listing device categories.

   

   Figure 10. Adding Device Category

2. Select all the device categories that you want to add by clicking on them.

   

   Figure 11. Selecting Device Categories to Add

3. Click Add button at the bottom of the dialog box.

Update Device-Based Filtering

All added devices in a Device-Based policy are listed in the Devices pane.

Figure 10. Added Devices List on policy

You can perform the following tasks on the added devices by clicking on the Actions column on the Devices pane:

• Edit: You may change the Description field of a device.
• Disable/Enable: You may temporarily remove a device from the policy by disabling it. After disabling a device, you may add it to the policy by clicking on the Enable action button on the device list.
• Remove: To permanently remove a device from the policy, you may click on the Remove action button on the device list.
• View Device Details: You may view device details by clicking on the Device Details action button on the device list.

Update Device Description in a Policy

To change the description of a device on the policy, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the device that you want to edit under the Actions column. This will pop up a drop-down menu.

   

   Figure 11. Editing Device

2. Click on the Edit menu item.

3. Change the description of the device.

4. Click Save.

Remove Devices from a Policy

To remove an Device from the policy, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the device that you want to remove under the Actions column. This will pop up a drop-down menu.
2. Click on the Remove menu item. This will automatically remove the Device from the policy configuration.

Enable/Disable Devices in a Policy

To enable/disable a Device, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the device that you want to enable/disable under the Actions column. This will pop up a drop-down menu.
2. Click on the Enable or Disable menu item. This will automatically change the status of the device on the policy. Disabled device is represented with a solid grey circle icon while a green circle icon is used for enabled device.

Remove Device Categories from a Policy

To remove a device category from the policy, you may click on the Remove with X icon next to the device category that you want to delete.

IP/Network Address-Based Filtering

A policy may be applied to the IPv4/IPv6 addresses that you enter into IP / Networks option. You can enter a single IPv4/IPv6 address or many IP addresses by specifying their subnet masks. CIDR format is also accepted (i.e. 172.10.10.0/24). You can also specify a description for the entries so that you can remember why you’ve added them later on.

To add an IP/Network address, you may follow the next steps:

1. Click on the + Add IP / Network button on the Policy Configuration page.

2. Fill in the IP/Network address and Description fields

3. Click Submit button.

   

   Figure 12. Adding an IP address to the policy

All added IP/Network addresses are listed in IP/Networks pane.

Figure 13. Added IP/Network Address List on Policy

Update IP/Network Address Description in a Policy

To change the description of the IP/Network address field on the policy, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the IP/Network address that you want to edit under the Actions column. This will pop up a drop-down menu.

   

   Figure 14. Actions menu for IP/Network Address List on Policy

2. Click on the Edit menu item.

3. Change the description of the IP/Network address field.

4. Click Save.

   

   Figure 15. *Editing IP/Network Address on Policy Configuration

Remove IP/Network Address from a Policy

To remove an IP/Network address from the policy, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the IP/Network address that you want to remove under the Actions column. This will pop up a drop-down menu.
2. Click on the Remove menu item. This will automatically remove the IP/Network Address from the policy configuration.

Enable/Disable IP/Network Address in a Policy

You may enable and disable the IP/Network address. To enable/disable the IP/Network address, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the IP/Network address that you want to enable/disable under the Actions column. This will pop up a drop-down menu.
2. Click on the Enable or Disable menu item. This will automatically change the status of the IP/Network Address on the policy. Disabled IP/Network Address is represented with a solid grey circle icon while a green circle icon is used for enabled IP/Network Address.

MAC Address-Based Filtering

A policy may be applied to the MAC addresses that you enter into MAC Addresses option. You may also give each entry a description so you know what device the MAC address belongs to. All proper MAC address formats are supported, such as:

• aa:aa:aa:aa:aa:aa
• aa-aa-aa-aa-aa-aa
• aaa.aaa.aaa.aaa

To define a MAC address-based policy by adding a MAC address, you may follow the next steps:

1. Click on the + Add MAC Address button in the MAC Address pane on the policy configuration page.

2. Fill in the MAC address and Description fields.

3. Click Submit button.

   

   Figure 16. Adding a MAC address to the policy

All added MAC addresses are listed in MAC Addresses pane.

Figure 17. Added MAC Address List on Policy

Update MAC Address Description in a Policy

To change the description of the MAC address field on the policy, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the MAC address that you want to edit under the Actions column. This will pop up a drop-down menu.

   

   Figure 18. Actions menu for MAC Address List on Policy

2. Click on the Edit menu item.

3. Change the description of the MAC address field.

4. Click Save.

   

   Figure 19. Editing MAC Address on Policy Configuration

Remove MAC Address from a Policy

To remove a MAC address from the policy, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the MAC address that you want to remove under the Actions column. This will pop up a drop-down menu.
2. Click on the Remove menu item. This will automatically remove the MAC address from the policy configuration.

Enable/Disable MAC Address in a Policy

You may enable and disable the MAC address. To enable/disable the MAC address, you may follow the next steps:

1. Click on the ... - 3-dot menu icon next to the MAC address that you want to enable/disable under the Actions column. This will pop up a drop-down menu.
2. Click on the Enable or Disable menu item. This will automatically change the status of the MAC Address on the policy. Disabled MAC Address is represented with a solid grey circle icon while a green circle icon is used for enabled MAC Address.

Defining User- or Group-Based Policy

The Zenarmor Active Directory and OPNsense Captive Portal integration features provides user-based policy filtering. Zenarmor can integrate with your Microsoft Active Directory (AD) and/or OPNsense Captive Portal for username/group resolution.

You can define a user/group-based policy by just adding a user or group to the policy on the policy configuration page.

To define a user- or group-based policy, you may follow the next steps:

1. Navigate to the Configuration page of the policy.

2. Click on the + Add User button in Users pane or + Add Group button in Groups* pane.

   

   Figure 20. *Adding Users/Groups on Policy Configuration *

3. Enter a username, or groupname. You may add the desired Active Directory or OPNsense Captive Portal users and groups.

4. Click on the Add button.

   

   Figure 21. Adding a User to the policy

Defining Time Schedules

If you want the policy to be active at a specific time interval, you can create and assign schedules to your policy. You can create a new schedule for the policy or you can manage(add/delete) the schedule that was previously created.

Figure 22. Time Schedules on Policy Configuration

To create a new schedule for a policy you may follow the next steps:

1. Click the Add new schedule button in the Time Schedules pane. This will open a dialog box for naming the schedule.

   

   Figure 23. Adding a new time schedule for a policy

2. Enter a name and click on the Add button. This will add the new schedule to the Time Schedules list.

3. Select each day you wish to be applied to the schedule. Selected days will be displayed with a solid blue checkmark icon.

4. Specify the starting and stopping hours for which the policy will be effective.

   

   Figure 24. Time schedule configuration for a policy

You can change the existing time schedule by updating the start/stop hours and selecting/deselecting the days any time after you create the initial schedule.

Removing Time Schedules

To remove an existing time schedule, you may follow the next steps:

1. Click on the Remove button with a trash icon in a solid red color. This will open a dialog box for confirming the removal of the schedule.

2. Click on Remove button on the confirmation box. This will erase the time schedule for the policy.

   

   Figure 25. Removing a time schedule for a policy