This quick article will explain some of the common questions regarding blocking statistics and blocking flow view.
Please do not worry about block flows, unless you are experiencing problems.
DNS entries not found will show up as blocked.
- What does the statics mean?
- What are the blocked flows?
- Should I be worried if I see a lot of blocked flows?
- Why do my companies domains show up in the DNS block?
- Should I be worried if I see domains that shouldn't be blocked?
- Why do I see known domains trying to access my network?
- How do I know which rule triggered the blocking? (Blocked flow diagnostics)
- What does the Flow Count/Blocked Count mean?
What does the statics mean?
In the example above:
- 827,702 is the number of all flows in the last 24 hours, including the accepted network flows + flows blocked by IP filtering + flows blocked by DNS filtering.
- 191,808 is the number of all blocked network flows in the last 24 hours, including flows blocked by IP filtering + flow blocked by DNS filtering.
- 23.2% is the percentage of blocked flows( i.e. 191,808 divided by 827,702).
What are the flows blocked by DNS Filtering?
- Most blocks are done by the adblocker or rules you have set up. (To identify the blocking rule, Please see Step 3 Check blocking rules )
- Unknown or bad domain lookups will also show up here as blocked.
- Example above:
- unknown.domain.lan: is just a test domain that doesn't exist ... this will show up as blocked
- logfiles.zoom.us, bam.nr-data.net: this likely blocked by adblocker/tracker block
- bam.nr-data.net.lan: this is an invalid domain.
What are the flows blocked by IP Filtering?
- Blocks are often done in the data path. Most of the time, using an IP address.
- You will see a lot of these on your WAN interface (Gold)
- The block can be from any of your rules when you specify default block mode, as well as from active block.
- Examples above:
- 192.241.203.x: likely just an IP trying to scan your network
- github.com: see "Why do I see known domains trying to access my network? "
- Not all IP flow blocks will show a domain with them.
Should I be worried if I see a lot of blocked flows?
- Most of the time you shouldn't worry, when you are on the internet, people may knock on your door...
- Blocks can be anything and depend on your device, your network, the software you use, your service provider
- As long as your app or network is running, you should be okay.
- Make sure you have the Firewalla's ingress firewall on. (if you have the blue/red/... make sure your router's firewall is on)
Why my companies domains show up in the DNS block?
Most of the time is because these domains are not valid when outside of the company; your laptop's software still queries them ... when they are not found at home, they will show up as "blocked"
Should I be worried if I see domains that shouldn't be blocked?
The block stats only is useful if you are encountering problems. The DNS blocks can not tell domains that are blocked and domains that are not valid. So it is very likely, the domain may be invalid. And the software does that ... they may query for invalid domains. Please do not ask us why, because we don't know.
Each piece of software is different, we can not tell you why it queries for domains that don't exist or end with ".lan". (the same reason as we can't tell you why a device talk to a certain site)
Why do I see known domains trying to access my network?
This is likely the result of packets arriving after the session (started by you, such as visiting GitHub) was terminated and the last packet arrives. To see this, just tap on the flow, and you will see the source is github.com and the port is 443, this is the port usually used as the destination.
How do I know which rule triggered the blocking?
When you tap on a block flow, you'll find a button at the bottom of the flow detail: "Why is it blocked?", tap the button, the App will fill in the destination and the device automatically and help you to identify the rule that may have blocked the site.
What does the Flow Count/Blocked Count mean?
Flow Count: Firewalla may record a connection as multiple flows if the connection is relatively long. So if there is a long live connection, it will be shown as a relatively higher flow count, the longer the connection the higher the flow count.
Blocked Count: The Box will aggregate multiple flows into one record if they are generated in a short period of time and triggered by the same source and destination.
Why there are so many DNS blocks?
First, the number of DNS requests does NOT mean the device is trying to contact the site. It is simply, the device is trying to find the IP address of the domain ...
In normal cases, a device queries for the IP address of foo[.]com, if that is successful, the device will cache the result and all subsequent lookups will not hit the DNS server.
Now, if that DNS lookup of foo[.]com was blocked, then the device is likely thinking the network is down and starts to retry the lookup over and over again ... and again and again ... so you have all the lookups ...
To verify my theory:
Disable ad blocker, family mode ...
do a nslookup of the domain you mentioned.
add the IP address returned from (1) to the blocking rules, and make the block as (default mode).
then watch and see if you get blocks for that site. (next to it, you should see IP)