Products Firewalla Gold Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Blue Plus Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

Firewalla Blocked Flows

Avatar
Firewalla
  • Updated
Follow

This quick article will explain some of the most common questions regarding blocking statistics and the view of the blocked flow. Please only worry about blocked flows if you are experiencing problems.

A flow can be identified as [source IP, source port, DST IP, DST port]. 

 

How to see the blocked flows?

You can see a list of your blocked flows by tapping Blocked on your box's main page, or by tapping Flows in the last 24 hrs on your box's main page -> View Blocked.

 

BlockedFlow_tap.jpg

 

With the 1.975 box release, Firewalla will also list your Top Blocked Flows by Region and Destination. You can read more about this feature in our Release Notes.

 

FAQs: 

 

What do the Block Statistics mean?

stats.png

In the example above:

  • 827,702 is the number of all flows in the last 24 hours, including:
    • accepted network flows, 
    • flows blocked by IP filtering, 
    • flows blocked by DNS filtering
  • 191,808 is the number of all blocked network flows in the last 24 hours, including:
    • flows blocked by IP filtering, 
    • flows blocked by DNS filtering
  • 23.2% is the percentage of all flows that have been blocked (i.e., blocked flows divided by total flows)

 

What are blocked flows?

Blocked flows are flows intercepted by Firewalla. Keep reading to learn about the two types of blocked flows: those blocked by DNS Filtering and those blocked by IP Filtering.

 

What are the flows blocked by DNS Filtering?

mceclip0.png

Most blocks are done by Ad Block or the rules you have set up. To identify the blocking rule, please look at Step 3: Check blocking rules.

In the example above, logfiles.zoom.us, and bam.nr-data.net are likely blocked by Ad Block.

 

What are the flows blocked by IP Filtering?

Blocked.png

  • Blocks are often done in the data path, usually using an IP address.
  • You will see many of these on your WAN interface (Gold and Purple).
  • The block can be from any of your rules when you specify default block mode or from active blocks.
  • Not all IP flow blocks will show a domain.

In the example above:

 

Should I be worried if I see a lot of blocked flows?

  • Most of the time, you shouldn't worry. When you are on the internet, people may knock on your door. This is perfectly normal.
  • Blocked flows can be anything and depend on your device, your network, your software, and your service provider. 
  • As long as your app or network is running, you should be okay.
  • If Firewalla is in Router mode, make sure you have the Firewalla's ingress firewall on. Rules > All Devices > Block Traffic from Internet (if you have the Blue/Red/Blue Plus make sure your router's firewall is on).

 

Should I be worried if I don't see any blocked flows?

  • You are likely under another firewall or NAT (or CGNAT) device that may be blocking any external probes. 
  • Make sure you have the "Block Traffic from Internet" rule enabled. This is your ingress firewall.
  • Turn on Ad Block. This should generate blocks.

 

Why do I see known domains trying to access my network? 

This is most likely the result of packets arriving after the session (started by you, such as visiting GitHub) was terminated. To learn more, tap on the flow, and you will see the source is github.com and the port is 443. This is the port usually used as the destination.

Source.png

 

How do I know which rule triggered the blocking?

When you tap on a block flow, if the flow is being blocked by the "Ad Block" or "Active Protect" feature, you'll find the blocked reason at the bottom of the flow detail page. In addition, a line of text will be shown on top of the action, you may tap on the text to configure the feature directly.

Otherwise, you'll find a "Diagnose" button at the bottom of the page, tap the button, and the app will fill in the destination and the device automatically and help you to identify the rule that may have blocked the site.

Screen_Shot_2022-12-27_at_19.38.06.png

 

What to do if I don't want this site to be blocked? 

If you find a certain flow is being blocked unexpectedly, you can tap the "Allow" button at the bottom of the detail page of a blocked flow to create an allow rule based on the destination/source and the scope (device/group/network/all devices). Instead of turning off the feature (e.g., ad block) completely or deleting the related blocking rule, you can create exceptions and fine-tune the system easily.

allow.png

 

What does the Flow Count/Blocked Count mean? 

Screen_Shot_2021-04-15_at_1.20.35_PM.png

Flow Count: Firewalla may record a connection as multiple flows if the connection is relatively long. So if there is a connection that has been live for a long time, it will be shown as a relatively higher flow count. The longer the connection, the higher the flow count.

Blocked Count: Firewalla will aggregate multiple flows into one record if they are generated in a short period of time and triggered by the same source and destination.

 

Why are there so many DNS blocks?

First, the number of DNS requests does NOT mean the device is trying to contact the site. It is simply the device is trying to find the IP address of the domain.

Normally, a device queries for the IP address of foo[.]com, if that is successful, the device will cache the result, and all subsequent lookups will not hit the DNS server. 

Now, if that DNS lookup of foo[.]com was blocked, then the device is likely thinking the network is down and starts to retry the lookup over and over again ... and again and again ... so you have all the lookups ...

To verify this theory:

  1. Disable ad blocker and family mode. 
  2. Do an nslookup of the domain in question.
  3. Add the IP address returned by nslookup to the blocking rules, and make the block (default mode). 
  4. Watch and see if you get blocks for that site. (next to it, you should see IP).

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.