OPNsense

Installation on OPNsense

Requirements

OPNsense is an open-source, easy-to-use and feature-rich firewall and routing platform that is based on FreeBSD. It is designed to provide a robust and secure network infrastructure by offering a range of networking and security features. OPNsense is often used as a firewall, router, and VPN (Virtual Private Network) gateway, making it suitable for both home and business environments.

At the time of writing, Netify is a command line installation. There have been no integrations with OPNsense's web-based administration tool. Installing Netify on OPNsense provides administrators with a 'single pane of glass' when used with Netify Informatics.

As a dedicated gateway distribution, it is no surprise that 2 or more network interfaces are required:

  • LAN Interface: client devices connecting to the internal network. This is the ideal interfaces for Netify to be configured to listen on as it provides flow analysis at client device resolution (ex. Apple iPhone 14 did X).
  • WAN Interface: used to connect upstream to the ISP. Admins may choose to monitor on this interface, however, it's not always that interesting as most of the data is duplicated with "North/South" bound traffic from the LAN.

You will also need to know which version of OPNsense you are running in order to access the correct binaries. If you're not sure, use the opnsense-version command:

opnsense-version
OPNsense 23.7.12 (amd64/LibreSSL)
In version 5, the Netify Agent and plugin architecture was extended. It would be very unusual to only install the agent without one or more plugins. However, we keep these steps separate for clarity.

Adding the Netify Repository vs Command Line

Adding the Netify repository to your OPNsense server has three main advantages:

  • Automatically resolves and install dependencies
  • Increases security through the use of signed packages
  • Allows for auto or simplified updates in the future

If you are a Netify Integrator/OEM or you have licensed proprietary plugins, do not add the public repositories below. Packages for your purposes are provided under a verified binary SLA to ensure compatibility.

OPNsense 24.7 - Thriving Tiger

Adding Netify Repository

mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/opnsense/24.7",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

pkg update

After executing this command, you should see: 

Updating Netify repository catalogue...
Netify repository is up to date.
..
.
All repositories are up to date.

You can now install the agent with this command: 

pkg install netifyd

Command Line Installation

pkg add https://download.netify.ai/5/opnsense/24.7/amd64/netifyd-5.0.44-1.pkg
The above command is an example only and version specific. Use a browser to navigate to the repository to find and copy the package you wish to install.

OPNsense 24.1 - Savvy Shark

Adding Netify Repository

mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/opnsense/24.1",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

pkg update

After executing this command, you should see: 

Updating Netify repository catalogue...
Netify repository is up to date.
..
.
All repositories are up to date.

You can now install the agent with this command: 

pkg install netifyd

Command Line Installation

pkg add https://download.netify.ai/5/opnsense/24.1/amd64/netifyd-5.0.44-1.pkg
The above command is an example only and version specific. Use a browser to navigate to the repository to find and copy the package you wish to install.

OPNsense 23.7 - Restless Roadrunner

Support for OPNsense 23.7 has been deprecated. Packages for 23.8 use FreeBSD 13.2 buildroot and are not 100% binary compatible. Please consider upgrading to 24.1 if a Netify integration is required.

Adding Netify Repository

mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF >  /usr/local/etc/pkg/repos/Netify.conf
Netify: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
  url: "https://download.netify.ai/5/freebsd/13.2",
  signature_type: "fingerprints",
  mirror_type: "http",
  priority: 11,
  enabled: yes
}
EOF

pkg update

After executing this command, you should see: 

Updating Netify repository catalogue...
Netify repository is up to date.
..
.
All repositories are up to date.

You can now install the agent with this command: 

pkg install netifyd

Command Line Installation

pkg add https://download.netify.ai/5/opnsense/13.2/amd64/netifyd-5.0.44.pkg
The above command is an example only and version specific. Use a browser to navigate to the repository to find and copy the package you wish to install.

Post Installation

After installing the agent, verify the installation and some path information using the -s (status) argument. 

netifyd -s
Netify Agent/5.0.44-1-HEAD-nnnn-aaaaaaaa (debian; linux-gnu; x86_64; conntrack; netlink; dns-cache; tpv3; tcmalloc; regex)
✗ agent is not running: PID 0
• persistent state path: /etc/netifyd
• volatile state path: /var/run/netifyd
! agent run-time status could not be determined.
The Netify agent is not configured to start post install. It will not be running by default and should expect to see the 'not running' and 'run-time status could not be determined' messages.

Netify Informatics

Network Intelligence Netify Informatics is an optional, cloud-based, SaaS service. It uses analytics and Machine Learning to transform telemetry originating from the Netify DPI Agent into high-level network intelligence and visibility. The solution provides insights into what's happening on the network in areas that include:

  • Device Identification and Management
  • Cybersecurity Risk
  • Forensics
  • Regulatory Compliance

To learn more about Netify Informatics, click here.

In addition to the Netify agent being installed, two plugins are required:

If you installed the agent by configuring a Netify software repository, simply run: 
pkg update
pkg install netify-proc-core netify-sink-http
If you installed the agent manually, you will also need to install the plugin packages manually.

Once the plugins have been installed, run the following two commands: 

netifyd --enable-informatics
netifyd -p
The first command will enable and auto configure the two plugins that were installed as well as restarting the Netify agent. The second command will display your Netify Agent UUID (in the form xx-xx-xx-xx) that will be needed when you provision the agent to your Netify Informatics account.

Failure to run the netifyd command with the --enable-informatics option will result in a Provision code not found error during the provisioning wizard.

Next Steps

Documentation


Netify DPI Agent


Technical Support

Haven't found the answers you're looking for?

Contact Us