Note: The screenshots in this article reflect the 1.60 version of the app, which is currently only available to beta users. If you are using app version 1.56 or lower, what you see in your app may differ. Learn more about our 1.60 release.
Firewalla's Scan feature helps you assess the security of your network by identifying potential weaknesses.
Please note that due to how Internet protocols work, these scans are not perfect. They are a good way to catch important vulnerabilities, but it's extremely difficult and impractical to find every potential weakness on a network.
Firewalla will never send any of your scan results to our servers. Your privacy is always our priority.
External Open Port Scan
If you are using Firewalla app version 1.56 or lower, the External Open Ports scan can be found in the Open Ports button on your box's main page.
Firewalla's External Open Port Scan inspects your network's ports to see if they can be reached from the Internet. Open ports provide access to the devices on your LAN, potentially opening them up to malicious actors.
You can begin an open port scan by tapping Scan Open Ports. The scan will take somewhere less than a minute to finish, and you can continue using the app as usual while the scan runs. When it's finished, you'll see a list of your open ports.
Ideally, this list should be empty. Open ports are like holes in your network, so unless you know what you're doing, you should keep your ports closed. If the scan detects any open ports, make sure you know who opened the port and why:
- Your router – check the policies on your other network hardware, such as the Port Mapping rules on your upstream router.
- Devices inside your network – some devices will open ports via UPnP or NAT-PMP as part of their function, such as a network storage device or a gaming device. If you tap into this type of open port, you can see some details.
- You configured these ports to be open – you can manually open ports to be able to access your network from outside. One more secure alternative is to use Firewalla's built-in VPN instead.
If the port was opened by a device inside of your network via UPnP, you can block it by setting up a rule to block Internet access to the port. Tap on Rules from your box's main page, tap Add Rule, set the target to your Local Port select Traffic from Internet, apply the rule to whatever device(s) you want, then Save.
Note that external scan ports may be limited by your ISP, so we can't guarantee that we will scan every port. This scan is done by another Firewalla server in the cloud and may be either a deep scan or a shallow scan, depending on your ISP and the state of the server. A shallow scan will only investigate well-known ports such as SSH, HTTPS, and HTTP. Regardless, external port scanning is still a valuable way to check for potential vulnerabilities on your network.
You can learn more about open ports in our article on how to deal with open ports. For your reference, here is a table of common ports and their purposes:
If you are using Firewalla app version 1.56 or lower, port forwarding information can be found by tapping Network Manager -> NAT Settings -> Port Forwarding.
Port Forwarding is one way to allow access to your local devices from outside your network. The port forwarding list you see in Firewalla is a result of your own manual configurations and ports automatically opened by UPnP. You can learn more about port forwarding in our article on Firewalla's Network Manager.
Device Open Port Scan
If you are using Firewalla app version 1.56 or lower, device open port scan can be found on each individual device's detail page under Ports.
Firewalla's Device Port Scan finds open ports on your LAN. These ports are only internally available, meaning only devices on your LAN can get access to them. Unless you have port forwarding set up on one of them, there is minimal risk in having open device ports. Most devices require some open ports to operate. For example, many IoT devices, such as Ring cameras, use these ports to talk to each other via your LAN.
You can see each of your scanned devices' open ports by tapping Ports on each device's detail page. Two types of ports will be listed here:
- Ports Forwarded – These are ports forwarded externally either manually or automatically by UPnP.
- Ports Not Forwarded – These are ports the device is "listening" to, but they haven't been forwarded on Firewalla. For example, if Port 22 is found in the "Ports Not Forwarded" list, it means the device will respond to requests sent to its Port 22 from inside of your network. Requests from outside of your network will not be able to reach this device.
Note that port scans may trigger some anti-virus software to block network access to the device being scanned. If you encounter this issue, please turn off port scanning on the device.
You can change which of your devices gets scanned for open ports by tapping Device Port Scan on the Scan page, and then tapping Specified Devices. From here, you can specify which of your networks, groups, or devices gets scanned.
If you need to set up port forwarding for an open device port, tap on Ports from your device's detail page, tap on one of the Ports Not Forwarded, tap Forward This Port, enter the right configurations for your port forwarding, then tap Save to confirm. Use caution when doing this, as forwarding your port means that it's now accessible from outside of your LAN.