Firewalla Blocked Flows

In Firewalla release 1.972 and app version 1.45, we released blocking statistics and blocking flow view. This quick article will explain some of the common questions. 

• Please do not worry about block flows, unless you are experiencing problems.

• DNS entries not found will show up as blocked.

FAQs: 

• What does the statics mean?
• What are the blocked flows?
  • DNS Filtering
  • IP Filtering
    
    
• Should I be worried if I see a lot of blocked flows?
• Why my companies domains show up in the DNS block?
• Should I be worried if I see domains that shouldn't be blocked?
• Why do I see known domains trying to access my network? 
  
  
• How do I know which rule triggered the blocking?
• What does the Flow Count/Blocked Count mean? 

What does the statics mean?

In the example above:

• 827,702 is the number of all flows in the last 24 hours, including the accepted network flows + flows blocked by IP filtering + flows blocked by DNS filtering. 
• 191,808 is the number of all blocked network flows in the last 24 hours, including flows blocked by IP filtering + flow blocked by DNS filtering. 
• 23.2% is the percentage of blocked flows( i.e. 191,808 divided by 827,702). 

What are the flows blocked by DNS Filtering?

• Most blocks are done by the adblocker or rules you have set up. (To identify the blocking rule, Please see Step 3 Check blocking rules )
• Unknown or bad domain lookups will also show up here as blocked.  
• Example above:
  • unknown.domain.lan: is just a test domain that doesn't exist ... this will show up as blocked
  • logfiles.zoom.us, bam.nr-data.net: this likely blocked by adblocker/tracker block
  • bam.nr-data.net.lan: this is an invalid domain. 

What are the flows blocked by IP Filtering?

• Blocks are often done in the data path. Most of the time, using an IP address.  
• You will see a lot of these on your WAN interface (Gold)
• The block can be from any of your rules when you specify default block mode, as well as from active block.
• Examples above:
  • 192.241.203.x: likely just an IP trying to scan your network
  • github.com: see "Why do I see known domains trying to access my network? "
    
    
• Not all IP flow blocks will show a domain with them.  

Should I be worried if I see a lot of blocked flows?

• Most of the time you shouldn't worry, when you are on the internet, people may knock on your door... 
• Blocks can be anything and depend on your device, your network, the software you use, your service provider
• As long as your app or network is running, you should be okay.
• Make sure you have the Firewalla's ingress firewall on. (if you have the blue/red/... make sure your router's firewall is on)

Why my companies domains show up in the DNS block?

Most of the time is because these domains are not valid when outside of the company; your laptop's software still queries them ... when they are not found at home, they will show up as "blocked"

Should I be worried if I see domains that shouldn't be blocked?

The block stats only is useful if you are encountering problems. The DNS blocks can not tell domains that are blocked and domains that are not valid. So it is very likely, the domain may be invalid. And the software does that ... they may query for invalid domains. Please do not ask us why, because we don't know.

Each piece of software is different, we can not tell you why it queries for domains that don't exist or end with ".lan". (the same reason as we can't tell you why a device talk to a certain site)

Why do I see known domains trying to access my network? 

This is likely the result of packets arrive after the session (started by you, such as visiting GitHub) was terminated and the last packet arrives. To see this, just tap on the flow, and you will see the source is github.com and the port is 443, this is the port usually used as the destination.

How do I know which rule triggered the blocking?

Currently, if you'd like to know which rule is used to trigger a certain block, you can use a rule diagnostic tool:

• Main page -> Rules  -> the top right corner "…" -> Diagnostics. 
• Type in the site being blocked and the device
• Diagnose

We will provide a better tool to automate this in 1.46.

What does the Flow Count/Blocked Count mean? 

Flow Count: Firewalla may record a connection as multiple flows if the connection is relatively long. So if there is a long live connection, it will be shown as a relatively higher flow count, the longer the connection the higher the flow count. 

Blocked Count: The Box will aggregate multiple flows into one record if they are generated in a short period of time and triggered by the same source and destination.