Firewalla Blocked Flows

This article will explain some of the most common questions we get regarding blocking statistics and blocked flows. If you're not experiencing problems or interruptions to your network experience, please don't worry about your blocked flows.

A flow is defined as [source IP, source port, DST IP, DST port]. 

• FAQs

How do I see my blocked flows?

You can see a list of your blocked flows by tapping Blocked on your box's main page, or by tapping Flows in the last 24 hrs on your box's main page -> View Blocked.

If you tap on Top Blocked, you'll see a list of your Top Blocked Flows by Region and Destination.

• Top regions + inbound: If someone from the outside is trying to connect to your network, most attempts will be blocked by Firewalla's Ingress Firewall. These flows are aggregated by region so you can better understand which regions you should watch out for. 
• Top destinations + outbound: These are the destinations your devices trying to connect to; most of them might be blocked by the Ad Block feature or the blocking rules you've created.

For step-by-step instructions on how to view this feature, watch our video tutorial.

Additionally, you can easily hide unwanted flows from view with the Exclude feature.

• Inbound Flows: Flows that are coming from outside. These are typically blocked. 
• System Noise: Excluding system noise will filter out background traffic on your OS system and commonly seen apps (including ads, tracking, telemetry, software updates, analytics, NTP, and public cloud services). It helps you focus on important activities within your network.

Additionally, you can add specified devices or targets to exclude. For example, if you don't want to see the blocked flows from a certain quarantined device, you can exclude it from appearing in Blocked Flows. See our tutorial video for step-by-step instructions.

You can also sort your flow history by a set of common categories: Gaming, Social, Video, Porn, and VPN. Simply tap one of these filters to apply it to your list of blocked flows.

FAQs

• What do the Block Statistics mean?
• What are blocked flows?
  • DNS Filtering
  • IP Filtering
• Should I be worried if I see a lot of blocked flows?
• Should I be worried if I don't see any blocked flows?
• Why do I see known domains trying to access my network? 
• How do I know which rule triggered a block? (Blocked flow diagnostics)
• What do I do if I don't want this site to be blocked?
• What does Flow Count/Blocked Count mean? 
• Why are there so many DNS blocks?
• What do I do if I see high block rates?
• How do I see which flows are blocked from a specific rule?

What do the Block Statistics mean?

In the example above:

• 827,702 is the number of all flows in the last 24 hours, including:
  • accepted network flows, 
  • flows blocked by IP filtering, 
  • flows blocked by DNS filtering
• 191,808 is the number of all blocked network flows in the last 24 hours, including:
  • flows blocked by IP filtering, 
  • flows blocked by DNS filtering
• 23.2% is the percentage of all flows that have been blocked (i.e., blocked flows divided by total flows)

What are blocked flows?

Blocked flows are flows intercepted by Firewalla. There are two types of blocked flows: those blocked by DNS Filtering and those blocked by IP Filtering.

What are the flows blocked by DNS Filtering?

Most blocks are caused by Ad Block or your other rules. To identify the rule that's blocking a flow, go to Step 3: Check blocking rules.

In the example above, myfirewalla.com is likely blocked by Active Protect.

What are the flows blocked by IP Filtering?

Some blocks are done in the data path, usually using an IP address. You will see many of these on your WAN interface (if you have a Gold or Purple unit). These blocks can be from any of your rules when you specify default block mode. Not all IP flow blocks will show a domain.

In the example above, 176.111.174.81 is likely just an IP trying to scan your network.

Should I be worried if I see a lot of blocked flows?

Most of the time, you shouldn't worry. When you are on the Internet, people may knock on your door– that doesn't mean they are allowed in. This is perfectly normal.

Blocked flows can mean anything and depend on your devices, networks, the software you run, and your service provider, among other things. As long as your websites, apps, and network are running normally, you should be okay.

If Firewalla is in Router mode, make sure you have Firewalla's Ingress Firewall on. Go to Rules > All Devices > Ingress Firewall. If you have a Blue, Red,  or Blue Plus, make sure your router's firewall is on.

Should I be worried if I don't see any blocked flows?

If you don't see any blocked flows, you are likely under another firewall or NAT (or CGNAT) device that is blocking external probes. 

To check that Firewalla is still blocking flows, make sure you have the Ingress Firewall enabled. You can also try turning on Ad Block. This should generate blocks.

Why do I see known domains trying to access my network? 

This is most likely the result of packets arriving after a session initiated by you was terminated. To learn more, tap on the flow. In the example below, the source of the flow was github.com and the port was 443. This is the port usually used as the destination.

How do I know which rule triggered a block?

When you tap on a blocked flow, you'll find the feature that caused the block at the bottom of the flow detail page (if the flow was blocked by Ad Block or Active Protect). In addition, a line of text will be shown on top of the action. Tap on the text to configure the feature directly.

Otherwise, you'll find a "Diagnose" button at the bottom of the page. Tap the button to identify the rule that blocked the site.

What do I do if I don't want this site to be blocked? 

If you find that you don't have access to a certain site, app, or piece of web content (e.g. an ad), it may be because Firewalla's blocking it. When this happens, look in the Blocked Flows list for a domain similar to or matching the content you're trying to see.

Once you find the flow you want to allow through, you can tap the "Allow" button at the bottom of its detail page to create an allow rule based on the destination/source and the scope (device/group/network/all devices) of the flow. Instead of turning off a feature (e.g., Ad Block) completely or deleting blocking rules, you can create exceptions and fine-tune the system easily.

Note that it's normal to have blocked flows– no matter how careful you are, there will always be intruders attempting to get into your network. Only allow blocked flows if you need to.

What does Flow Count/Blocked Count mean? 

Flow Count: Firewalla may record a connection as multiple flows if the connection is longer. So a connection has been live for a long time, it will have a relatively high flow count. The longer the connection, the higher the flow count.

Blocked Count: Firewalla will aggregate multiple flows into one record if they are generated in a short period of time and triggered by the same source and destination.

Why are there so many DNS blocks?

Firstly, the number of DNS requests does NOT mean the device is trying to contact the site. DNS requests simply indicate that the device is trying to find the IP address of the domain.

Normally, a device queries for the IP address of [domain].com. If that is successful, the device will cache the result, and all subsequent lookups will not hit the DNS server. 

Now, if the DNS lookup of [domain].com was blocked, then the device may retry the lookup again and again, generating several flows.

To verify that you're not getting an abnormal number of DNS blocks:

1. Disable Ad Block and Family. 
2. Do an nslookup of the domain in question.
3. Add a rule to block the IP address returned by nslookup. Set the rule to default mode.
4. Watch and see if you get blocks for that site (you should see an IP address next to it).

What do I do if I see high block rates?

1. See if the blocked traffic is inbound or outbound. Keep in mind that you usually can't do anything about inbound connection attempts and your default inbound Internet traffic rule will keep these out anyway.
2. Go through each of your networks, groups, and devices to find those with block rates that are higher than expected. If the high block rate is coming from one device, group, or network, you can quickly narrow the scope of the problem.
3. Based on Step 2, evaluate what "abnormal" means. A high block rate could be normal for a device. There is some art to this.
4. Once you find something that is unusual, identify the cause of the blocks and refine the rules that might be causing false positives or negatives. See Manage Rules for more details on rules and rule hierarchy.
5. If you make changes to rules, keep in mind that the statistics are based on a 24-hour-long period, so changes will take some time to show in your stats. 

How do I see which flows are blocked from a specific rule?

If you'd like to see which flows are blocked by a specific rule, the best way in the app is to tap the "Diagnose" button at the bottom of a blocked flow's detail page.

With Firewalla MSP, you can easily filter flows by a specific rule or feature using Flows or Reports.

1. On the left navigation panel, go to Flows. 
2. In Filters, select "BlockedBy:".
3. Choose or type a specific feature or rule to filter flows by.

You can also click Save Report to save the current filters and easily reapply them anytime. Then, use the Reports feature in the left navigation panel and click on the saved report to view it. Reports can be exported as a CSV file. Learn more about reports here.