FAQ - Compatibility
COMPATIBILITY
This page contains answers to the most common queries we get about Zenarmor compatibility.
Which platforms are supported?
Our goal is to be able to run Zenarmor® on any networking environment; be it a container, cloud, virtual or bare-metal deployment (firewalls, switches, UTMs) which processes Layer 3-4 traffic.
As of March 2021, OPNsense®/pfSense® firewalls, Centos, Debian, Ubuntu and FreeBSD are among the supported list of platforms.
Product is any-cloud. You can install the product on any Cloud environment.
What is the correct hardware configuration?
Please refer to Getting Ready section here.
Can I run Zenarmor on a virtualized environment like Proxmox, VirtualBox, KVM?
Yes
Are there any compatibility issues with OPNsense®?
If you're using OPNsense 20.1.x and later, you should be good to go.
When are you going to have pfSense® support?
As of Sensei Release 1.9, pfSense® is also supported. pfSense® is based on FreeBSD Operating System. In that regard, you can install the Zenarmor FreeBSD 12 package for pfSense® software 2.5.x release series. Get Zenarmor for FreeBSD
Does Zenarmor support IPv6?
Yes
Can I run Zenarmor on a HA cluster deployment?
Yes
Is Zenarmor compatible with LAGG?
Yes. Zenarmor uses netmap which is an Operating System subsystem to grab packets off the wire. Especially, Intel cards play well with netmap and many customers are protecting LAGG interfaces by Zenarmor.
However, Netmap is not fully compatible with LAGG interfaces and it has some issues with the LAGG VLAN child interface. Zenarmor LAGG interface limitation is up to netmap. So if netmap is supported, Zenarmor works as well. Normally, it should be ok to protect VLAN interfaces separately but LAGG incompatibility can cause the problem. The netmap team works on it but we don't have a deadline yet.
The reported problems seem to be occurring when many LAGG-based VLAN interfaces are protected alongside the parent trunk interface.
Please be informed that, if you protect a LAGG parent interface, Zenarmor protects all VLAN interfaces under it; so you don't need to protect the individual child interfaces.
Please check for the supported interface in the following link:
https://www.freebsd.org/cgi/man.cgi?query=netmap&sektion=4#SUPPORTED_DEVICES
Some improvements have been made on netmap driver and as of OPNsense 24.7.4 there is no reported issue about LAGG compatibility.
Is Zenarmor compatible with 32 bit systems?
No. Zenarmor is only available for 64 bit Intel architecture.
Is Zenarmor compatible with Jumbo frames?
No. Maximum MTU value of a Zenarmor protected interface can be 1500 bytes due to the incompability issue between netmap and jumbo frames. You may set MTU option by navigating to Interfaces settings on your OPNsense/pfSense firewall web UI.
Can I also run Suricata along with Zenarmor?
Yes.
However, if you're running Suricata on IPS mode, make sure you run them on different interfaces since they both use the same packet I/O subsystem (netmap), which can only be used by single process at the same time.
Generally people use Suricata on WAN and Zenarmor on LAN-facing interfaces.