Pare-feu NGFW Open Source
pour l'Entreprise
Enterprise Open Source NGFW
Firewall
OPNsense + Zenarmor NGFW deployed on certified Decisio appliances. Suricata IDS/IPS, IPsec/WireGuard VPN, DNS filtering, HAProxy load balancer. Guaranteed data sovereignty — no imposed cloud subscription.
(DEC850 / DEC3862)
(DEC850 series)
Zenarmor NGFW
desktop appliance
Complete NGFW features
OPNsense + Zenarmor provide in-depth protection against known and zero-day attacks: application inspection, behavioural filtering, IDS/IPS, VPN — open source, without vendor lock-in.
IDS/IPS — Suricata
Deep packet inspection. Suricata + Snort + ET Pro rules. Anomaly detection, exploit kits, malware C&C. Real-time inline blocking. Automatic Spamhaus DROP integration.
DNS & Web filtering
Unbound DNS with DNSBL. Zenarmor DPI: categorical filtering (200k+ categories), transparent HTTPS. Ad, malware, phishing, torrent blocking. No imposed root certificate.
VPN IPsec / WireGuard
Site-to-site IPsec IKEv2 AES-256-GCM. WireGuard for remote access (2.5 Gbps). Legacy OpenVPN. Multi-WAN with automatic failover. BGP/OSPF for complex architectures.
HAProxy Load Balancer
SSL termination, reverse proxy, HTTP/TCP load balancing. Automatic health checks. Advanced ACLs. Replaces an F5 BIG-IP at a fraction of the cost — managed from the OPNsense interface.
Monitoring & centralised logs
Netflow/IPFIX to SIEM. RFC5424 Syslog. Full REST API. Zabbix/Grafana integration. Real-time alerts on rule violations. Zenarmor per-user/app traffic reports.
CARP high availability
Active/passive HA pair with <1 second failover. pfsync state synchronisation. Zero downtime during updates. Centralised configuration with automatic rollback.
Why choose an enterprise open source firewall?
OPNsense + Decisio delivers enterprise-grade features without the constraints of proprietary solutions.
Cost-effective open source model
No mandatory signature subscription — security updates are included in the open source project. TCO scales with your infrastructure size.
Auditable source code
OPNsense is open source (BSD license). The code is audited by thousands of developers. No possible backdoor — unlike proprietary firewalls whose code is closed.
Data sovereignty
No telemetry to a foreign vendor. No mandatory cloud licence. Your rules and logs remain in your infrastructure — a key asset for your regulatory compliance requirements.
Frequently Asked Questions
What is the difference between a traditional firewall and a NGFW?
A traditional firewall filters traffic by IP and port (stateful). A NGFW (Next-Generation Firewall) performs deep packet inspection (DPI), identifies applications even on non-standard ports, can filter URLs and DNS by category, and block threats via updated signatures. OPNsense includes Suricata as its IDS/IPS engine — this feature is not present in all NGFW products on the market.
Is OPNsense suited to structured enterprises?
Yes. OPNsense is used by banks, hospitals and public bodies. It supports up to 17.4 Gbps firewall throughput and 15 million concurrent sessions on DEC850 appliances. The full REST API enables SIEM/SOAR integration, and weekly updates guarantee rapid CVE patching.
What is Zenarmor and why combine it with OPNsense?
Zenarmor (formerly Sensei) is a NGFW plugin for OPNsense that adds DPI application inspection with 200k+ categories, transparent HTTPS filtering without an imposed root certificate, and advanced per-user and per-application reports. It provides protection against known threats, zero-day attacks and abnormal network behaviour.
Which Decisio appliance to choose for my organisation?
Decisio offers several models: DEC700 (desktop, <500 Mbps, SME 10–50 users), DEC750 (1U rack, 1 Gbps, 50–200 users), DEC850 (2U rack, 17.4 Gbps, datacenters). Convergent sizes the appliance based on your WAN bandwidth, number of users and required NGFW features.
Secure your network perimeter
85% of attacks exploit a poorly configured network perimeter. Convergent deploys your OPNsense NGFW firewall in less than 5 business days, with team training included.