- Which firewalls / network equipments are supported
- What is the correct hardware configuration
- Does Sensei support IPv6?
- Can I run Sensei on an HA cluster environment?
- Can I run Sensei on a virtualized environment like Proxmox, VirtualBox or KVM?
- Are there any compatibility issues with OPNsense?
- Is Sensei compatible with 32 bit OPNsense ? (OPNsense/i386)
- I can't see os-sunnyvalley listed under Firmware -> Plugins
- Can I run Suricata along with Sensei?
- Can I run Pi-hole along with Sensei?
- Sensei did not detect my WAN interface during Interface Configuration
- Sensei did not detect my Wireguard or OpenVPN interface during Interface Configuration
- Sensei did not detect any usable ethernet interface during Interface Configuration
- How do I reset to factory defaults?
- How much does Sensei cost?
- How do I subscribe to the Premium Subscriptions?
- How many devices do I have? I need to make sure I go for the correct subscription.
- I am an educational institution. Do you offer special discounts for us?
- I am an MSP/MSSP. Do you have a partner program?
Is Sensei open source?
Sensei consists of two modules:
- PHP Code & Python Scripts which provide the Web User Interface Functionality. This part is open source.
- The Packet Engine coded in C++. This part is closed source.
Which firewalls / network equipments are supported?
Our goal is to be able to run Sensei on any networking environment; be it a container, cloud, virtual or bare-metal deployment (firewalls, switches, UTMs) which processes Layer 3-4 traffic.
Currently the full integration has been completed for OPNsense open source firewall. This documentation is based on OPNsense 20.1 and later branches.
What is the correct hardware configuration?
Please refer to Getting Ready section here.
Can I run Sensei on a virtualized environment like Proxmox, VirtualBox, KVM?
Are there any compatibility issues with OPNsense?
If you're using OPNsense 20.1.x and later, you should be good to go.
Does Sensei support IPv6?
Can I run Sensei on a HA cluster deployment?
Is Sensei compatible with 32 bit OPNsense (OPNsense/i386)?
No. Sensei is only available for 64 bit Intel architecture (OPNsense/amd64)
I can't see os-sunnyvalley listed under Firmware - Plugins
This is because you are not on a supported platform. See this question.
Can I also run DNS based filtering systems (Pi-hole, unbound) along with my Sensei?
Yes. You can also run Pi-hole and other DNS based filtering systems along with Sensei as an additional layer of defense.
The only thing you need to be aware of is that if you run these tools on a separate host other than the firewall itself (on which the Sensei is running), you'll need to disable DNS caching.
Reason is cached dns traffic will NOT be traversing through the firewall; causing Sensei to miss DNS mappings.
For those scenarios, (like Pi-hole) we advise disabling caching on them and use firewall's dns cache as the forwarder.
Can I also run Suricata along with Sensei
However, if you're running Suricata on IPS mode, make sure you run them on different interfaces since they both use the same packet I/O subsystem (netmap), which can only be used by single process at the same time.
Generally people use Suricata on WAN and Sensei on LAN-facing interfaces.
Reports: some charts are broken
This is because of broken Elasticsearch/Mongodb indices. Two reasons that we're aware of:
Reason 1: There has been an unexpected power loss on the firewall .e.g. an electricity outage, abnormal shutdown of the firewall etc. these databases do a lot of buffering, writing the buffers to the indices from some time to time. If a partial write is in place than chances are high that your indices might get corrupt.
Solution 1: Go to Sensei -> Configuration -> Reporting & Data. Click "Perform health check for indices". It'll take care of the rest for you.
Reason 2: You have enabled "Use memory file system for /var" from System -> Settings -> Miscellaneous in OPNsense configuration:
Solution 2: Make sure you have this setting disabled. After that, go to Sensei -> Configuration -> Reporting & Data. Click "Perform health check for indices". You're done.
I do not see dns hostnames for some IP addresses
If the engine cannot do real-time dns enrichment, this is generally because you're running a DNS server somewhere outside your firewall (like Pi-hole or Active Directory) so that Sensei is missing some/all of your DNS transactions.
If this is the case, we advise your disable "caching" on the external DNS server and set your Firewall's DNS server as a forwarder to the external DNS server. In this way, Sensei will have a chance to witness your DNS transactions.
Please also see the answer to this question: Can I run DNS based filtering systems along with Sensei?
For a little bit of background: Sensei does DNS enrichment in two ways:
Engine doing the mapping realtime:
Engine keeps track of all dns transactions that it can see flowing over itself. When it detects an IP address resolution (either an A/AAAA/CNAME or PTR), packet engine caches the IP addresses and the corresponding fully qualified domain name.
All charts/tabular reports and live session reports display this cached hostname when you view the reports.
Note (July 2020): Beginning with Sensei 1.6, engine will do an active real-time reverse PTR query in case it cannot detect an immediate dns enrichment data from previous attempts (will be available in all subscription tiers)
UI doing mapping during reports viewing:
This applies to live session reports only: When you view a live session report, while you're browsing over records, UI runs a background job to see if a particular record has its hostname resolved. If it detects an unresolved IP address, it runs a background query to resolve the IP address via the name server you've configured on Sensei -> Configuration -> Reporting and Data.
So, if you do not see a hostname corresponding to the IP address, this means that Sensei was not able to see a DNS request/response which can map this IP address to a hostname. But while you're browsing over the hostname section in Live Session Explorerer screens, Sensei will try it once more by querying the IP address from your configured DNS server.
No Ethernet Interface is being shown in the Interface Configuration
If you cannot see any Ethernet Interfaces being reported in the Configuration -> Interface Selection menu, chances are high that you're using an ethernet adapter for which netmap, the raw packet I/O interface in FreeBSD, does not have a proper driver support. We're sponsoring the driver support on the netmap project, so there are lots of improvements on this.
Make sure that you're using the latest firewall version and the latest Sensei version.
Sensei did not detect my WAN interface during interface configuration
Sensei is meant to be deployed on inner-facing interfaces. Reason is that you'll lose internal IP information if you operate on the WAN interface - due to NAT being applied.
I cannot find my Wireguard or OpenVPN interface in the Interface Configuration
Sensei can run on any ethernet interface which is netmap compatible. However Wireguard and OpenVPN utilize tunnel (tun) interfaces, which we do not have support for the time being.
We're currently sponsoring a development on netmap(4) project and we hope to make this feature available with OPNsense 20.7.x (In Q3 2020)
Landing Page is not always displayed and browser reports ERR_CONNECTION_CLOSED
This happens if the blocked connection is not speaking HTTP. Sensei displays Landing Page only if it is an HTTP connection.
For HTTPS connections, since TLS comes early and client and server does not yet speak HTTP, we cannot display the landing page (behavior to change with TLS inspection feature)
For Application control, we do not display since it might be a connection which does not speak HTTP.
Note: Future Sensei versions (expected in 1.6 or 1.7) will be able to overcome this protocol limitation and display a landing page even if the connection is HTTP/TLS.
How do I reset to factory defaults?
- Navigate to
Sensei > Configuration
- Click on Uninstall tab
- Click on "
Reset to factory defaults" button.
When you click on any Sensei submenu, you'll be redirected to the initial Configuration Wizard to start over.
How do I uninstall the plugin?
- Navigate to
Sensei > Configuration
- Click on "
- Click on "
Uninstall Sensei packet engine" button.
- Confirm that you want to proceed.
How do I send a bug report?
Please refer to Reporting a Bug section here.
How do I get support?
Please refer to Getting support section here
How much does Sensei cost?
Free Edition is forever free for OPNsense users.
Premium subscription with much more advanced features is available for purchase. See: How do I purchase a Subscription?
You can find the details about the Premium Subscription and how it compares to the Free Edition
in Plans & Pricing.
How do I get a Premium Subscription?
- You can easily do so within the Sensei User Interface. You'll need a valid credit card. It only takes 30 seconds to purchase and activate your subscription:
- You can contact sales - at - sunnyvalley.io and we'll get you a license right away.
You can buy it from the OPNsense Store.
- You can contact one of our authorized partners and purchase your Sensei subscription.
Additional Partner discounts are available. Apply now to become a Sensei Partner.
How do I know how many devices I have?
Sensei 1.5.2 and later: Click on "Upgrade to Premium" on the Sensei UI and it'll tell you the number of devices you have.
Sensei 1.5.1 and before: Run Sensei Free Edition for a day, during which time, Sensei will detect all devices passing through your firewall. In the following day, look at the "Unique Device Count" value in Reports -> Connections -> Conn - Facts chart. It'll tell you how many devices you have and you can decide on the correct subscription size.
Do you offer special discounts for Educational / Non-Profit organizations?
Sure!. We do have an Edu/Non-Profit program where we offer special discounts. You can easily apply here.
Do you offer special discounts for MSPs?
Yes. Additional Partner discounts are available. Apply now to become a Sensei Partner.