Firewalla's Scan feature helps you assess the security of your network by identifying potential weaknesses.
Please note that due to how Internet protocols work, these scans are not perfect. They are a good way to catch important vulnerabilities, but it's extremely difficult and impractical to find every potential weakness on a network.
Firewalla will never send any of your scan results to our servers. Your privacy is always our priority.
External Open Port Scan
If you are using Firewalla app version 1.56 or lower, the External Open Ports scan can be found in the Open Ports button on your box's main page.
Firewalla's External Open Port Scan inspects your network's ports to see if they can be reached from the Internet. Open ports provide access to the devices on your LAN, potentially opening them up to malicious actors.
You can begin an open port scan by tapping Scan Open Ports. The scan will take somewhere less than a minute to finish, and you can continue using the app as usual while the scan runs. When it's finished, you'll see a list of your open ports.
Ideally, this list should be empty. Open ports are like holes in your network, so unless you know what you're doing, you should keep your ports closed. If the scan detects any open ports, make sure you know who opened the port and why:
- Your router – check the policies on your other network hardware, such as the Port Mapping rules on your upstream router.
- Devices inside your network – some devices will open ports via UPnP or NAT-PMP as part of their function, such as a network storage device or a gaming device. If you tap into this type of open port, you can see some details.
- You configured these ports to be open – you can manually open ports to be able to access your network from outside. One more secure alternative is to use Firewalla's built-in VPN instead.
If the port was opened by a device inside of your network via UPnP, you can block it by setting up a rule to block Internet access to the port. Tap on Rules from your box's main page, tap Add Rule, set the target to your Local Port select Traffic from Internet, apply the rule to whatever device(s) you want, then Save.
Note that external scan ports may be limited by your ISP, so we can't guarantee that we will scan every port. This scan is done by another Firewalla server in the cloud and may be either a deep scan or a shallow scan, depending on your ISP and the state of the server. A shallow scan will only investigate well-known ports such as SSH, HTTPS, and HTTP. Regardless, external port scanning is still a valuable way to check for potential vulnerabilities on your network.
You can learn more about open ports in our article on how to deal with open ports. For your reference, here is a table of common ports and their purposes:
System Vulnerability Scan
The System Vulnerability Scan investigates the security of your LAN for commonly used ports and vulnerabilities. It will detect issues like:
- Services that do not have password protection
- Services that may have a default password
- Services that may be using a common/simple password
Firewalla will check each port's protections against our extensive intelligence database of common username and password pairs.
You can start a system vulnerability scan by tapping Scan System Vulnerabilities. Depending on the complexity of your network, this scan may take up to several hours to finish. However, you can continue using the app while the scan runs in the background. Once the scan is done, you'll receive a notification on your phone. Firewalla will display a list of any weak usernames and passwords on your devices' ports.
Why are System Vulnerabilities important?
Using default or weak device credentials can expose them to cyber threats, such as unauthorized access, data theft, and ransomware attacks. This can lead to data breaches, unauthorized control, and misuse of associated resources.
- https://owasp.org/www-project-top-10-insider-threats/docs/2023/INT07_2023-Insecure_Passwords_and_Default_Credentials
- https://www.cisa.gov/news-events/alerts/2013/06/24/risks-default-passwords-internet
However, the risk of each vulnerability really depends on what an attacker can do once they're in your system. For example, if the service exposed is FTP and the attacker can't modify other things on the device or the network, your network will most likely not be affected. But even if a vulnerability is relatively low-risk, it's always good to lock down services – hackers can be very creative.
What can I do with my System Vulnerability Scan results?
If you see any weak usernames and passwords, we recommend that you first log into your device and verify if the scan result is correct. Once you've confirmed that the results are accurate, either:
- Disable the service, or
- Change the password on the service to something more secure.
If you're not sure how to log into the device or configure services, contact your device's manufacturer.
System Vulnerability Scan False Positives
If you see a suspicious number of passwords matching a single port on one device, then they are likely false positives. We suggest you try logging into that port with one or two of the scan results to confirm. The following devices may return false positives:
- Netgear NightHawk and some Orbi routers
Note that this scan may register as suspicious activity or password guessing to devices with anti-virus enabled. Additionally, during the scan, some devices may restrict login due to too many login attempts.
With App release 1.62.1 (currently in Early Access), we've made several upgrades to the System Vulnerability Scan feature to make it easier to keep your commonly used ports protected:
1. Automatic scan
We've supported Automatic Scan with allows you to schedule an automatic weekly vulnerability scan to ensure your network is constantly monitored for weak credentials.
Please note, the automatic scan is only supported on Gold models, including Firewalla Gold, Gold Plus, Gold SE, and Gold Pro.
2. Specify what devices the scan is applied to
If you have devices that may flag the scan as suspicious activity or password guessing, you can now specify or exclude certain devices from the System Vulnerability Scan. Tap Scan Scope. Then, tap Specified Devices to choose what devices the scan should apply to, or tap Add Device under Exclude Device to exclude specific devices from the scan.
3. MAC address displayed on each result
To help identify vulnerable devices, we now display the MAC address next to each scan result. Tap on a result to see the MAC address.
4. False positive detection
If more than 5 vulnerabilities are detected for the same port on a device, they’ll be grouped into a Possible False Positives dropdown to help identify potential false positives.
Port Forwarding
Port Forwarding is one way to allow access to your local devices from outside your network. The port forwarding list you see in Firewalla is a result of your own manual configurations and ports automatically opened by UPnP. You can learn more about port forwarding in our article on Firewalla's Network Manager.
Device Open Port Scan
If you are using Firewalla app version 1.56 or lower, device open port scan can be found on each individual device's detail page under Ports.
Firewalla's Device Port Scan finds open ports on your LAN. These ports are only internally available, meaning only devices on your LAN can get access to them. Unless you have port forwarding set up on one of them, there is minimal risk in having open device ports. Most devices require some open ports to operate. For example, many IoT devices, such as Ring cameras, use these ports to talk to each other via your LAN.
You can see each of your scanned devices' open ports by tapping Ports on each device's detail page. Two types of ports will be listed here:
- Ports Forwarded – These are ports forwarded externally either manually or automatically by UPnP.
- Ports Not Forwarded – These are ports the device is "listening" to, but they haven't been forwarded on Firewalla. For example, if Port 22 is found in the "Ports Not Forwarded" list, it means the device will respond to requests sent to its Port 22 from inside of your network. Requests from outside of your network will not be able to reach this device.
Note that port scans may trigger some anti-virus softwares (such as Bitdefender) to block network access to the device being scanned. If you encounter this issue, you can either:
- Turn off port scanning on the device
- Disable port scan protection in the anti-virus software
To specify which of your devices get scanned for open ports, tap Device Port Scan on the Scan page, and then tap Specified Devices. You can also exclude certain devices while keeping the device port scan feature enabled for all other devices on your network.
If you need to set up port forwarding for an open device port, tap on Ports from your device's detail page, tap on one of the Ports Not Forwarded, tap Forward This Port, enter the right configurations for your port forwarding, then tap Save to confirm. Use caution when doing this, as forwarding your port means that it's now accessible from outside of your LAN.
Comments
4 comments
Is there a way to force a deep scan?
No, otherwise our server will likely get blacklisted...
Hello,
I assume all Firewalla boxes know when its brother, the scanning server is doing a scan. Do these appear in the blocked external list on the WAN interface or do you remove them like the port required for the mobile app to work
Technically it would be good to know when you have just pentested your own domain, in particular by oublic facing Firewalla boxes
For example. "Firewalla has pentested your dynamic domain. No open ports found".
My assumption is that this scan is manually triggered by the box owner, but if you're preemptively scanning you can place notes in your DNS records. Other services do it particularly the one in the Netherlands, Shodan and so on.
An option for a deep scan could be set - as in requested in the app. All TCP ports with UDP optional.
Might save me from doing it from outside the network and give me some oeace of mind 😁
Thankyou for consideration
The external scans originate from your servers. The internal scans originate from the Firewalla device.
In either case, how am I able to view the results of the scans on the app if they are not pulled from your servers?
Please sign in to leave a comment.