Open ports are ports that are open to devices outside your network. Open ports provide access into your network including potentially malicious actors. This is a vulnerability so you should have as few of these as possible.
There are two open port lists.
- Ports detected using UPnP protocol. These are opened by another device via the UPnP protocol. If you tap into it, Firewalla will provide details. If you do not need them, you can block them.
- Ports detected through an external scan. These ports are very likely opened by you using port mapping on the router (or by the router). If you do not know why these ports are open, please check your router's ‘port mapping’ settings.
External scan ports may be limited due to filtering done by ISP's. The external scan is done by another Firewalla server in the cloud. This server may either do a deep scan or a shallow scan. In shallow scan, it will only scan the well-known ports such as ssh, https, and HTTP. (Which scan to use depend on the ISP and also the state of the server doing the scan, we are doing our best of not having that server blacklisted)
What is UPnP?
UPnP stands for Universal Plug and Play, which is a networking protocol that enables devices to discover and communicate with each other on a local network. UPnP allows devices to automatically configure network settings and establish connections without requiring manual setup by the user.
While UPnP can be convenient for users, it can also pose a security risk if not properly configured. The automatic configuration process can allow devices to open ports on a router without the user's knowledge or consent, potentially exposing the network to outside threats. Attackers can use vulnerabilities in UPnP to gain access to devices on the network and launch attacks such as distributed denial-of-service (DDoS) attacks or steal sensitive information.
If you are using Firewalla in router mode, you can use the network manager to selectively turn off UPnP per device. See https://help.firewalla.com/hc/en-us/articles/360046703673-Firewalla-Feature-Guide-Network-Manager#h_01EDNZT093KGHYNZND0X6BB73P
Learn more about how to handle Open Port alarms.
Reference on port numbers:
Comments
3 comments
Is there a way to force a deep scan?
No, otherwise our server will likely get blacklisted...
Hello,
I assume all Firewalla boxes know when its brother, the scanning server is doing a scan. Do these appear in the blocked external list on the WAN interface or do you remove them like the port required for the mobile app to work
Technically it would be good to know when you have just pentested your own domain, in particular by oublic facing Firewalla boxes
For example. "Firewalla has pentested your dynamic domain. No open ports found".
My assumption is that this scan is manually triggered by the box owner, but if you're preemptively scanning you can place notes in your DNS records. Other services do it particularly the one in the Netherlands, Shodan and so on.
An option for a deep scan could be set - as in requested in the app. All TCP ports with UDP optional.
Might save me from doing it from outside the network and give me some oeace of mind 😁
Thankyou for consideration
Please sign in to leave a comment.