This quick article will explain some of the common questions regarding blocking statistics and blocking flow view.
Please do not worry about block flows, unless you are experiencing problems.
DNS entries not found will show up as blocked.
This requires box version1.973 or above.
A Flow can be identified as [source IP, source port, DST IP, DST port]
- What do the Block statistics mean?
- What are the blocked flows?
- Should I be worried if I see a lot of blocked flows?
- Why do my company's domains show up in the DNS block?
- Should I be worried if I see domains that shouldn't be blocked?
- Why do I see known domains trying to access my network?
- How do I know which rule triggered the blocking? (Blocked flow diagnostics)
- What to do if I don't want this site to be blocked?
- What does the Flow Count/Blocked Count mean?
What do the statics mean?
In the example above:
- 827,702 is the number of all flows in the last 24 hours, including the total of:
- the accepted network flows +
- flows blocked by IP filtering +
- flows blocked by DNS filtering
- 191,808 is the number of all blocked network flows in the last 24 hours, including the total of:
- flows blocked by IP filtering +
- flow blocked by DNS filtering
- 23.2% is the percentage of blocked flows ( i.e. Blocked flows/Total flows).
What are the flows blocked by DNS Filtering?
- Most blocks are done by the adblocker or rules you have set up. (To identify the blocking rule, Please see Step 3 Check blocking rules )
- Unknown or bad domain lookups will also show up here as blocked.
- Example above:
- unknown.domain.lan: is just a test domain that doesn't exist ... this will show up as blocked
- logfiles.zoom.us, bam.nr-data.net: this likely blocked by adblocker/tracker block
- bam.nr-data.net.lan: this is an invalid domain.
What are the flows blocked by IP Filtering?
- Blocks are often done in the data path. Most of the time, using an IP address.
- You will see a lot of these on your WAN interface (Gold and Purple)
- The block can be from any of your rules when you specify default block mode, as well as from active blocks.
- Examples above:
- 192.241.203.x: likely just an IP trying to scan your network
- github.com: see "Why do I see known domains trying to access my network? "
- Not all IP flow blocks will show a domain with them.
Should I be worried if I see a lot of blocked flows?
- Most of the time you shouldn't worry, when you are on the internet, people may knock on your door...
- Blocks can be anything and depend on your device, your network, software that you use, or your service provider.
- As long as your app or network is running, you should be okay.
- If Firewalla is in Router mode, make sure you have the Firewalla's ingress firewall on. Rules > All Devices > Block Traffic from Internet ((if you have the blue/red/... make sure your router's firewall is on)
Why do my company's domains show up in the DNS block?
Most of the time is because these domains are local to your company network and not valid when outside of the company; your laptop's software still queries them ... when they are not found at home, they will show up as "blocked".
Should I be worried if I see domains that shouldn't be blocked?
The block stats only is useful if you are encountering problems. The DNS blocks can not tell domains that are blocked and domains that are not valid. So it is very likely, that the domain may be invalid. And the software does that ... they may query for invalid domains. Please do not ask us why, because we don't know.
Each piece of software is different, we can not tell you why it queries for domains that don't exist or end with ".lan". (the same reason as we can't tell you why a device talks to a certain site)
Why do I see known domains trying to access my network?
This is likely the result of packets arriving after the session (started by you, such as visiting GitHub) was terminated and the last packet arrives. To see this, just tap on the flow, and you will see the source is github.com and the port is 443, this is the port usually used as the destination.
How do I know which rule triggered the blocking?
When you tap on a block flow, you'll find a button at the bottom of the flow detail. If the flow is being blocked by the "Ad Block" or "Active Protect" feature, you may tap on the button to configure the feature directly.
Otherwise, you'll find a "Diagnose" button, tap the button, and the App will fill in the destination and the device automatically and help you to identify the rule that may have blocked the site.
What to do if I don't want this site to be blocked?
If you find a certain flow is being blocked unexpectedly, you can tap the "Allow" button at the bottom of the detail page of a blocked flow to create an allow rule based on the destination/source and the scope (device/group/network/all devices). Instead of having to turn off the feature ( e.g. ad block) completely or delete the related blocking rule, you can create exceptions and fine-tune the system easily.
What does the Flow Count/Blocked Count mean?
Flow Count: Firewalla may record a connection as multiple flows if the connection is relatively long. So if there is a long live connection, it will be shown as a relatively higher flow count, the longer the connection the higher the flow count.
Blocked Count: Firewalla will aggregate multiple flows into one record if they are generated in a short period of time and triggered by the same source and destination.
Why there are so many DNS blocks?
First, the number of DNS requests does NOT mean the device is trying to contact the site. It is simply, the device is trying to find the IP address of the domain.
In normal cases, a device queries for the IP address of foo[.]com, if that is successful, the device will cache the result and all subsequent lookups will not hit the DNS server.
Now, if that DNS lookup of foo[.]com was blocked, then the device is likely thinking the network is down and starts to retry the lookup over and over again ... and again and again ... so you have all the lookups ...
To verify this theory:
- Disable ad blocker and family mode.
- Do an
nslookupof the domain in question.
- Add the IP address returned from
nslookupto the blocking rules, and make the block as (default mode).
- Watch and see if you get blocks for that site. (next to it, you should see IP).