To help you protect and gain visibility into your network, your Firewalla records network flows (same concept as NetFlows). These flows give you a comprehensive history of all inbound and outbound traffic on your network.
- Network flows help you monitor exactly what your devices are doing.
- You can block or allow network flows directly.
- You can easily leverage Flows to track down and take action on any type of network activity.
This article is about Network Flows in general, to learn more about specifically about blocked flows, please refer to Firewalla Blocked Flows.
Interpreting Flows
Tap on the Flows count on your box's main screen to see a history of all flows through your network. To see details about a specific flow, tap on it.
To view flows from a specific device, tap into your device's detail page from the Devices list. Then, tap Network Flows.
Each flow includes:
- Name - Name of the device or domain name
- Source IP – the IP address of whatever generated the flow.
- Source Port – the TCP or UDP port number used to send data.
- Destination IP – the IP address of whatever received the flow.
- Destination Port – the TCP or UDP number used to receive data.
- Timestamp – when the flow ended.
- Direction:
- Inbound: network traffic initiated from outside your network to inside (you shouldn't see too much of this type of traffic)
- Outbound: network traffic initiated from your home network to the Internet
- Outbound Interface: the WAN or VPN interface the traffic went through (blocked flows will not have an outbound interface)
- Flow Count – the number of matching flows recorded at that time. Sometimes, traffic will generate multiple flows from the same source to the same destination continuously. Firewalla will aggregate them and give you a total count.
- Duration – the time length for which the flow lasted.
- Downloaded – the amount of data downloaded to your network.
- Uploaded – the amount of data uploaded from your network.
For blocked flows, you can also find:
- Block Type - how the flow was blocked (IP Filtering or DNS Filtering).
- Blocked By - if the flow was blocked by Ad Block or Active Protect, the feature name will be shown here.
By tapping on the right side of each flow, you can see if a flow was Inbound or Outbound and what destination port was being accessed. If you tap View Blocked, you can focus on just the blocked flows. From the right side, you can also see the Block Count (how many times a particular domain or IP was blocked) and the Block Type (IP or DNS Filtering) in addition to the direction and destination port. Read more in our article on Firewalla Blocked Flows.
Depending on the flow, Firewalla will also display other relevant information about the flow, such as device name, MAC address, vendor, destination name, domain, and region. Using all this information, you can figure out what flows match certain activities on your devices. For example:
- Identify flows by device. For example, if you're trying to monitor the activity of a specific device, you can tap Devices > your device > Network Flows to narrow down the data to just the flows going to and from that device.
- Identify flows by IP/domain name. For example, if you're trying to block a device from using Spotify, those flows will likely include the word "spotify" in their destination name.
- Identify flows by timestamp. If you know exactly when an activity occurred, you can find all the flows with a matching timestamp and examine each to see which ones match the activity.
Blocking Traffic Using Flows
If you're trying to block your device or networks from using a certain app or website, you can use Firewalla's Flows to identify the relevant traffic and block it from there. For example, here's how you can use flows to block Reddit:
- First, open Reddit and use it for a few minutes to generate some flows. In this example, we're using the device "Work laptop".
- From the Firewalla app, identify some flows generated by the site. In this example, the flows to gql-realtime.reddit.com appear to be to Reddit (based on the domain) and are coming from the device we're using, "Work laptop".
- Tap one of the flows, then tap Block at the bottom of the flow detail page.
- Tune the rule target and scope. Firewalla will automatically pick the exact subdomain and the device that triggered the flow, but you can tap on the target or the device to change it. For this example, we'll change the target to the root domain reddit.com to block the whole website.
- Tap Block to confirm. A blocking rule for that domain will be created in the rules list.
- Check to see if the rule works by attempting to access Reddit again. You may need to wait a few minutes or manually clear your DNS cache for the rule to take effect.
- If the device can still access the domain after the rule is created, try to switch the Block Mode from Domain-Only to Default on the rule's detail page. This will ensure that it blocks all the IP addresses associated with this domain. Learn more about Block Mode.
Once you confirm the block, you should see it appear in your Rules list. At this point, the app should be blocked– if you want to use the app again, simply pause or delete the rule. The methodology here applies to other applications as well.
Allowing Traffic Using Blocked Flows
Similarly, if you're finding that your devices can't open an app or website they need to access, you can use Firewalla's Blocked Flows to find the blocked destinations and allow them. For example, here's how you can use flows to allow a device with restricted Internet access to use Google Classroom:
- Using our device "Work laptop", attempt to open a Google Classroom site to generate some blocked flows.
- On the Firewalla app, identify the blocked flows to Google Classroom. In this case, edu.google.com is a Google Classroom domain.
- Tap one of the flows to find out why the site was blocked. If the flow was blocked by Ad Block or Active Protect, you'll see "Blocked by Ad Block/Active Protect" at the bottom of the page. Tap on this to go directly to the feature page. If the flow was blocked by something else, you can tap Diagnose to find out what rule or policy was the cause.
- If your flow was blocked by Ad Block or Active Protect, you can try changing each feature to Default mode. This will trigger fewer blocks than Strict mode.
- If the flow was blocked by one of your other rules, you can remove or pause the rule to allow access. You can also try changing the rule from Default to Domain-Only so that it only blocks the targeted domain instead of all the IP addresses associated with the domain.
- If you don't want to change your features or rules, you can create an Allow rule by tapping the Allow button at the bottom of the flow detail page.
- Tune the rule target and scope (in this case, allowing google.com would also allow other ad services that have google.com in their domain, so we're only allowing specific subdomains). Try to keep the target as small as possible to avoid giving exceptions to unwanted IP addresses.
- Tap Allow at the bottom of the flow detail page to confirm. An allow rule for that domain is created in the rules list.
- Check to see if the rule works by attempting to access Google Classroom again. You may need to wait a few minutes for the rule to take effect.
- If you still can't access the site, repeat the steps above with other flows to Google Classroom until you have full access. In this example, we created a few other allow rules for other related domains.
What if something goes wrong after setting a block rule?
If you find that you unexpectedly can't access some sites after you set a block rule, Firewalla can help. One strategy is to use our diagnostics tool – tap the (...) button on the Rules page to launch Diagnostics. In the example below, we can see that a TikTok-blocking rule also blocks slickdeals.net. To allow access to a domain that is accidentally blocked, create an allow rule for it. For more details, see our article on what to do when you can't access certain websites.
Comments
0 comments
Please sign in to leave a comment.