Products Firewalla Gold Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Blue Plus Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

Firewalla Blocked Flows

Avatar
Firewalla
  • Updated
Follow

This quick article will explain some of the most common questions regarding blocking statistics and the view of the blocked flow. Please only worry about blocked flows if you are experiencing problems.

A flow can be identified as [source IP, source port, DST IP, DST port]. 

 

How to see the blocked flows?

You can see a list of your blocked flows by tapping Blocked on your box's main page, or by tapping Flows in the last 24 hrs on your box's main page -> View Blocked.

 

Highlight the blockings statistics and shows the number of flows in the last 24 hours and how many have been blocked.

 

With the 1.975 box release, Firewalla will also list your Top Blocked Flows by Region and Destination. You can watch a video tutorial or read more about this feature in our Release Notes.

 

FAQs: 

 

What do the Block Statistics mean?

Highlight the blockings statistics and shows the number of flows in the last 24 hours which is 827,702 flows and how many have been blocked which is 191,808 flows which is 23.2% of all flows.

In the example above:

  • 827,702 is the number of all flows in the last 24 hours, including:
    • accepted network flows, 
    • flows blocked by IP filtering, 
    • flows blocked by DNS filtering
  • 191,808 is the number of all blocked network flows in the last 24 hours, including:
    • flows blocked by IP filtering, 
    • flows blocked by DNS filtering
  • 23.2% is the percentage of all flows that have been blocked (i.e., blocked flows divided by total flows)

 

What are blocked flows?

Blocked flows are flows intercepted by Firewalla. Keep reading to learn about the two types of blocked flows: those blocked by DNS Filtering and those blocked by IP Filtering.

 

What are the flows blocked by DNS Filtering?

This shows the number of blocked flows and the DNS of those blocked flows.

Most blocks are done by Ad Block or the rules you have set up. To identify the blocking rule, please look at Step 3: Check blocking rules.

In the example above, logfiles.zoom.us, and bam.nr-data.net are likely blocked by Ad Block.

 

What are the flows blocked by IP Filtering?

This shows the number of blocked flows and the IP addresses of those blocked flows.

  • Blocks are often done in the data path, usually using an IP address.
  • You will see many of these on your WAN interface (Gold and Purple).
  • The block can be from any of your rules when you specify default block mode or from active blocks.
  • Not all IP flow blocks will show a domain.

In the example above:

 

Should I be worried if I see a lot of blocked flows?

  • Most of the time, you shouldn't worry. When you are on the internet, people may knock on your door, that doesn't mean they are allowed in. This is perfectly normal.
  • Blocked flows can be anything and depend on your devices, networks, the software you run, and your service provider among other things.
  • As long as your app or network is running, you should be okay.
  • If Firewalla is in Router mode, make sure you have the Firewalla's ingress firewall on. Rules > All Devices > Block Traffic from Internet (if you have the Blue/Red/Blue Plus make sure your router's firewall is on).

 

Should I be worried if I don't see any blocked flows?

  • You are likely under another firewall or NAT (or CGNAT) device that may be blocking any external probes. 
  • Make sure you have the "Block Traffic from Internet" rule enabled. This is your ingress firewall.
  • Turn on Ad Block. This should generate blocks.

 

Why do I see known domains trying to access my network? 

This is most likely the result of packets arriving after the session (started by you, such as visiting GitHub) was terminated. To learn more, tap on the flow, and you will see the source is github.com and the port is 443. This is the port usually used as the destination.

Highlights a visual source of the blocked flow.

 

How do I know which rule triggered the blocking?

When you tap on a block flow, if the flow is being blocked by the "Ad Block" or "Active Protect" feature, you'll find the blocked reason at the bottom of the flow detail page. In addition, a line of text will be shown on top of the action, you may tap on the text to configure the feature directly.

Otherwise, you'll find a "Diagnose" button at the bottom of the page, tap the button, and the app will fill in the destination and the device automatically and help you to identify the rule that may have blocked the site.

In app demo that highlights provides details and allows you diagnose any blocked items you want to investigate further.

 

What to do if I don't want this site to be blocked? 

If you find a certain flow is being blocked unexpectedly, you can tap the "Allow" button at the bottom of the detail page of a blocked flow to create an allow rule based on the destination/source and the scope (device/group/network/all devices). Instead of turning off the feature (e.g., ad block) completely or deleting the related blocking rule, you can create exceptions and fine-tune the system easily.

Provides a visual of the blocked flow and then the steps to allow this connection not to be blocked going forward.

 

What does the Flow Count/Blocked Count mean? 

In app demo that provide a view of blocked count, blocked by, timestamp, direction and more.

Flow Count: Firewalla may record a connection as multiple flows if the connection is relatively long. So if there is a connection that has been live for a long time, it will be shown as a relatively higher flow count. The longer the connection, the higher the flow count.

Blocked Count: Firewalla will aggregate multiple flows into one record if they are generated in a short period of time and triggered by the same source and destination.

 

Why are there so many DNS blocks?

First, the number of DNS requests does NOT mean the device is trying to contact the site. It is simply the device is trying to find the IP address of the domain.

Normally, a device queries for the IP address of foo[.]com, if that is successful, the device will cache the result, and all subsequent lookups will not hit the DNS server. 

Now, if that DNS lookup of foo[.]com was blocked, then the device is likely thinking the network is down and starts to retry the lookup over and over again ... and again and again ... so you have all the lookups ...

To verify this theory:

  1. Disable ad blocker and family mode. 
  2. Do an nslookup of the domain in question.
  3. Add the IP address returned by nslookup to the blocking rules, and make the block (default mode). 
  4. Watch and see if you get blocks for that site. (next to it, you should see IP).

What to do if if you see high block rates

  1. Go through by Network/Groups/Devices and find those with block rates that are higher than expected.
  2. See if the blocked traffic is inbound or outbound. Keep in mind that you usually can't do anything about inbound connection attempts and the default inbound Internet traffic rule will keep these out anyway.
  3. See if the high block rate is coming from one device, Group, or network. This helps you quickly narrow the scope of the problem.
  4. Based on step three, evaluate what "abnormal". You could have a device with a high block rate but that is just normal for that device. There is some "art" to this because you need to assess what is normal for any given device, Group, or Network.
  5. Once you find something that is "unusual" you can determine the cause and refine the rules that might be causing false positives or negatives. See Manage Rules for more details on rules and precedence.
  6. As you make changes to rules keep in mind that the statistics are based on a 24 period so changes will take some time to show in the stats. 

Related articles

Comments

0 comments

Please sign in to leave a comment.