To support Firewalla key features like cybersecurity protection and parental control, the little Firewalla box analyzes network traffics and raises alarms to notify the user of related activities, such as:
- Connecting a new device
- Possible cyberattack
- Abnormal upload
- Playing a game
- Watching video
- Accessing adult content websites
- Connecting to VPN Server
- Malware Download
- Open Port
- Internet Connectivity Update
- SSH / HTTPS hacking atempts
- and more
Notes:
- Unless specified, activities are default allowed until blocked.
- No matter archived or not, all alarms will be automatically deleted in 30 days.
- Not all blocks will result in alarms. We only show ones that may of value to you.
If you tap on the Alarms button on the Box main screen, you'll see a list of alarms notify you about various network activities, here are some tutorials on how to handle Alarms.
Alarm Settings
Tap on the Tuning icon on the top right corner of the Alarms screen to enter Alarms Settings.
Alarm Settings is where you configure two things:
- whether you want the box to generate a certain type of alarm or not
- whether you want to receive App notification or not
You can create or delete alarm settings directly under Alarm Settings -> each Alarm Type. Or you can do it when clicking the Mute button on the alarm page.
There are 2 sections in alarm settings, General Setting and Specific Setting:
General Setting is applied to all devices.
- Send Both Alarm & Notification: Both alarm and App Notification will be generated.
- Send Alarm Only: Only an alarm will be generated, but you will not receive App Notification.
- Mute All: Neither alarm nor App notification will be generated.
Specific Setting is where you define the exception, to mute Alarms on a specific device and/or on a specific domain.
Example: Mute Alarms on a device when accessing a certain subnet
You can mute the following subnet to reduce Abnormal Upload Alarms on Ring Device. (contributed by Firewalla community)
- 52.16.0.0/16
- 13.52.0.0/16
- 13.57.0.0/16
- 34.221.0.0/16
- 34.223.0.0/16
Let's take 52.16.0.0/16 as an example here:
Step 1: Tap on Alarm Settings on the upper right corner of the Alarms page, Tap Abnormal Upload.
Step 2: Tap Mute. (If the general setting is set to Mute All, there will not be a choice to mute a specific device/destination.)
Step 3: Tap Add Destination -> Enter 52.16.0.0/16. (Destination can also be a certain IP Address / Domain.)
Step 4: Tap Next -> Apply to Ring. (If you don't want to specify a device, tap on "All Devices.")
This will create a rule under Mute -> Mute Destination. Currently, settings cannot be modified. If you want to modify, delete it first and then recreate it.
Alarm Handling - Mute
The "Mute" button on alarms UI means, you understand the activity and are OK to archive it.
Under the alarm that you want to Mute, tap on the "Mute" button. Determine whether to Archive this Alarm, Mute alarms on this domain, or mute alarms on a certain kind of activity, then tap on the choice.
- Archive - this option will archive this alarm. Similar behavior happens again in the future, you will still receive alarms.
- Mute domain / Mute xxx activity - these options will archive not only this alarm but also archive all similar alarms you see in the alarm list. In addition to that, these options will create a new rule in alarm settings under the corresponding category alarm's "specific setting" section. Similar behavior happens again in the future, you will not receive any alarm.
For example, if you choose to "Mute domain googlevideo.com, apply to device Macbook Air", Firewalla will generate a specific mute rule in Alarm Settings -> Video Activity, which results in no alarm will be generated and sent when Macbook Air access *.googlevideo.com.
Undo Mute
To undo the mute action, you can
- Delete the corresponding setting in Mute,
- or find the archived alarm and tap "undo mute".
Alarm Handling - Block
The "Block" button on alarms UI means, based on the alarm details, you determine it is unsafe to access the site, you want to block it for future access.
Under the alarm that you want to Block, tap the "Block" button. Determine whether to block this device / all devices from accessing an IP address, a specific domain, or a certain type of activity, then tap on the choice.
- All blocking options will archive the current alarm and also all similar alarms you see in the alarm list.
- All blocking options will create a blocking rule to the box. A similar activity that happens again in the future will be blocked automatically by Firewalla. The generated rule can be seen in the "Rules" UI.
- The difference between block domain/block site/block IP address boils down to the number of IP addresses to be blocked (Domain > Site > IP address).
To view, edit or delete the generated blocking rules, checked out this article: learn more about Rules.
Alarm Handling - Detail
If you need more help with this alarm, just click the alarm once. It brings up an alarm detail page, more information related to the alarm can be seen here, such as site registration, location of the server, previous 6-hour data transfer between your device and that site, and even Firewalla intelligence service suggestion regarding this transfer.
When determining whether an alarm is "good" vs "bad", it is both a science and an art.
Tutorial: How to handle abnormal upload alarms
Alarm Handling - Delete/Archive
If you'd like to remove an alarm from the alarm list, tap on "…" on the top right corner of the alarm, you'll find the action of "Delete alarm permanently" or "Archive".
- Archive - to remove the alarm from the alarm list, and put it into the Archived Alarm list.
- Delete - to remove the alarm from the Box completely.
Tap on "More actions", you can choose to delete or archive all alarms in the alarm list.
By the way, even if you don't do anything, all alarms will be deleted automatically in 30 days.
Archived Alarms
As mentioned above, the action of either Mute or Block will archive all matched existing alarms. If you want to review these alarms, they can be found at the top right corner of the alarm page.
Comments
15 comments
When you click on Mute in the alarm list, why does it sometimes give the option to mute for the device only, and other times give the option to mute for all devices?
Great question. I'd like to know too.
For activity or informational alarms, such as video/gaming activity, device online/offline, Firewalla provides the options to mute/block for the specific device. For security alarms, including abnormal upload alarms, the options are set to mute/block for all devices.
The reason for this limitation is that the configurations related to security alarms are considered to be more restricted than other alarms, and we couldn't provide all the combinations of IP/domains + device/all devices on the pop-up dialogue. It's a trade-off.
A more flexible version of the alarm handling design is on the way. Please be patient.
If I am not mistaken, Alarms allow '*.domain.com" syntax but rules do not.
It would be nice if the syntax were the same (and more clear in the UI).
From a user perspective, if I can be alerted to something at anything at a domain I should be able to make that into a rule.
@Michael
Sorry for the confusion, this is a display bug on Android App. Will fix it.
In fact, Mute and Block function both support "*.domain.com". If you type in "domain.com", it will be translated into "*.domain.com" and saved to the box.
Thanks @Melvin! iOS issue too.
If I get a "Security Activity" alarm that auto blocks an IP from accessing a local device because it is marked as suspicious. What happens when I "Mute Similar Activity" for "all devices"? Will the suspect IP continue to be blocked or will I just not receive a notification?
"Mute" is like ignore ...
If the action was blocked, you should not get a mute action. (only archive will show). And you can unblock if you tap on the alarm.
That does not appear to be happening.
@melvin do you get an “unblock” option on notifications if security activity? And does that apply to the one device or all?
@rob, this is likely a bug in the web interface, will ask developers to clean this up.
@Michael, Auto blocks apply to all devices. We don't provide an unblock option on the alarms because it is relatively risky to do it. But you can go to rules -> all devices -> active protect rules, and delete the blocking rule created.
Hi, for about 2 weeks I couldn't control the Firewalla app and I found all these alarms, now it shows about 365, but at least a hundred I solved them manually, so they were at least 460.
Since they are almost all "Malware Activity" security alerts and since I certainly cannot control the individual sites that are indicated to me by the Firewalla as dangerous, could it not be automatically established that the Firewalla automatically blocks all sites marked as dangerous?
Why will I block them all manually, but if I have to do it for 460 alarms I'll never finish, so you can't create an automation whereby these sites are automatically blocked?
Obviously, the solution cannot and I do not want it to be to silence the alerts, but I want to make them act automatically, without the need to intervene manually.
Is there an auto-delete/archive setting in place? Or do alerts keep building over time with no limit?
@Raul, it will be auto-deleted in 30 days.
Please sign in to leave a comment.