Installing Next-Generation Firewall Plugin for OPNsense

OPNsense is a great open-source firewall. Maintaining a regular updates policy, being very reliable and providing quite many features (VPN, Intrusion Prevention System, Open Source Threat Intelligence, etc), it’s a super viable alternative to commercial firewalls out there.

Complementing this legacy, Sunny Valley Networks has created Sensei, to add Next-Generation Firewall features to the firewall.

In this post, we’re going to show how you can easily install Sensei Next Generation FW plugin on OPNsense Firewall.

Installing OPNsense

If you have not installed OPNsense yet, please click this link to install OPNsense:

HW Sizing for Sensei

Because Sensei’s analytics module does big data processing, amount of the memory available in the system is crucial for the performance of the solution.

See Sensei HW Requirements from Sensei Documentation to see if your system is meeting the requirements.

Installing Sensei Plug-in for OPNsense

It’s as easy as installing two OPNsense plug-ins: os-sunnyvalley and os-sensei:

  1. On OPNsense Web UI, on the left pane, launch System > Firmware > Plugins. In Plugins page, you can view installed and available (not installed) plugins.

  2. . Find and locate “os-sunnyvalley” plug-in. This is the package repository plugin which is serving actual Sensei packages. Click plus “+” button to install the os-sunnyvalley repo plugin.

OPNSense SunnyValley on List

  1. After that you should click the plus “+” button, then you will redirect to the Update menu tab.

InstallAfter Install

  1. After installing os-sunnyvalley, Plugins page should now be displaying os-sensei, the actual package. Find and locate os-sensei. If you cannot see Sensei plugin yet, please refresh your web UI with F5 button. If it’s there, go ahead and install “os-sensei”

SunnyValley Install

  1. After the installation, you should see that a “Sensei” menu is added on the left menu bar. If you cannot see it, you may need to refresh browser.

System: Firmware

Congratulations. You’ve successfully installed Sensei. Initial configuration is as easy as the installation. You don’t really need a tutorial since the wizard guides you through the process, however, it’s here for the detail oriented:

Initial Configuration Wizard

When you’re done, login to your OPNSense Web UI, and click Sensei from the left menu. You’ll be provided with the initial Configuration Wizard. Initial screen is the End User Agreement. Read and scroll down to the bottom of the page and click Accept.

Sensei: Wizard

  1. After you accept EULA, you will be provided with a summary of assessment of your computer’s system resources. If you see “low-end hardware” warning, please don’t worry about it if your system resources are above the minimum system requirements. Then click the “Install Database & Proceed” button.

  2. Interface Selection. In this menu, select the Ethernet Interfaces to protect. Click on on an interface and use the right/left arrow buttons to move it to protected/unprotected interfaces combo box.

Bridge Mode is in experimental stage

Bridge Mode is in experimental stage and we do not recommend any production use at the moment. Please use “Routed Mode” for your convenience.

Sensei Wizard

  1. Set the TCP Service Password. This password protects the command line based CLI access to the packet engine. It is advisable to change this. After that you’ll be asked how you’d like to be receive updates to the software. Change these settings to your liking and you’re done.

You can start enjoying your new Next Generation Firewall plugin Sensei.

We’ll have more blog posts on the advances features of the add-on software.

Keep in touch for more...