To support Firewalla's key features like cyber security protection and parental control, the little Firewalla box analyzes network traffics and raises alarms to notify the user of related activities, such as:
- Connecting a new device
- Possible cyberattack
- Abnormal upload
- Playing a game
- Watching video
- Accessing adult content websites
- Connecting to Firewalla VPN Server
- Malware Download
- Open Port
- Internet Connectivity Update
- SSH / HTTPS hacking attempts
- and more
Notes:
- Unless specified, activities are default allowed until blocked.
- All alarms will be automatically deleted in 30 days, including archived alarms.
- Not all blocks will result in alarms. We only show ones that may be of value to you.
Here are some tutorials on how to handle Alarms:
Alarm Handling
On the Firewalla box's main page, tap the Alarm icon, and you'll find a list of alarms generated in the last 30 days.
Alarm Filter
If you have a lot of alarms but are only interested in a few alarm types, you can configure your Alarm Filter to make a list showing certain types of alarms. The filter will be kept on your app, so if you configured the alarm filter and then quit that app, the filter items will remain selected when launching the app next time.
The rest of the alarms will be generated normally, so if the alarm filter is reset to "All Alarms", you'll be able to see all of the alarms.
Alarm Detail
Tap an alarm once, it will bring up an alarm detail page with information related to the alarm, such as device IP and name, site registration, location of the server, previous 6-hour data transfer between your device and that site, and even Firewalla intelligence service suggestion regarding this transfer.
You can take different actions including Mute, Block, or Archive to fine-tune the alarm system, based on which kind of activities you'd to receive alarms on.
Determining whether an alarm is "good" vs "bad" is both a science and an art.
Example: How to handle abnormal upload alarms (Example: Ring)
Mute
The Mute action means you don't want to receive alarms about similar activities in the future.
For all Gaming Activity and Video Activity alarms, you can quickly choose to mute the alarms on all devices for 1 hour or until the end of the day. This helps you to temporarily turn off the activity alarms without muting the alarm completely in case you forget to turn it back on.
If you want to always mute the alarms matching specific domains/types on certain devices, just tap on "Always Mute" to configure it further.
For other types of alarms, under the alarm that you want to Mute, tap on the "Mute" button, it will pop up a dialog and let you decide which target to match:
- The IP Address
- The domain and subdomains
- The alarm type
And you can choose to apply the policy to:
- The device
- The group or the network the device belongs to
- All devices
When you mute something:
- The system will create a "Mute" setting under the corresponding category alarm's specific setting section. If similar behavior happens again in the future, you will not receive any alarm.
- The current alarm and all alarms matching the Mute setting you created will be archived.
- To undo the mute action, you can delete the corresponding setting in Mute, or find the archived alarm and tap "undo mute".
For example, if you choose to "Mute domain googlevideo.com, apply to device Macbook Air", Firewalla will generate a specific mute rule in Alarm Settings -> Video Activity, which results in no alarm will be generated and sent when Macbook Air access *.googlevideo.com.
Block
The Block action means, based on the alarm details, you decide it is NOT safe to access the site, you want to block it for future access. Tap on the "Block" button, it will pop up a dialog and let you decide which target to match:
- The IP Address
- The domain and subdomains
- All sites in the corresponding category
And you can choose to apply the rule to:
- The device
- The group or the network the device belongs to
- All devices
The difference between blocking a domain, a site, or an IP address boils down to the number of IP addresses being blocked (Domain > Site > IP address).
When you block something:
- The current alarm and all similar alarms you see in the alarm list will be archived.
- The system will create a Block rule on the box. All similar activities will be blocked automatically by Firewalla in the future.
- The generated rule can be seen in the Rules. To view, edit or delete the generated blocking rules, learn more about Rules.
Archive
Archive means to remove the alarm from the alarm list, and put it into the Archived Alarm list.
- As mentioned above, the action of either Mute or Block will archive all matched existing alarms.
- If you choose to archive one alarm, when similar behavior happens again in the future, you will still receive alarms.
- If you want to review these alarms, they can be found at the top right corner of the alarm page.
Delete / Archive All
If you'd like to remove an alarm from the alarm list, tap on "…" on the top right corner of the alarm, and you'll find the action of "Delete alarm permanently".
Tap Archive / Delete all alarms, and you can clear all the alarms in the list at once.
Please note that even if you don't do anything, all alarms will be deleted automatically in 30 days.
If you find any issue with certain alarms, like being too frequent or not easy to understand, you can now provide feedback on that alarm and share your insight with us.
Alarm Settings
Tap the Alarm Settings icon on the top right corner of the Alarms screen.
Alarm Sensitivity Tuning:
Firewalla's intelligent core constantly analyzes your behavior and sends you alarms when it detects activity that’s out of the ordinary. These algorithms offer you an extra level of protection that you can control.
In Alarm settings, we've provided you with an option to tune the Alarm Sensitivity so that the behavioral alarms will be generated less or more frequently. You'll be able to set the default alarm sensitivity setting for all behavioral alarms. Two options are provided:
- Moderate: Moderate sensitivity is the current sensitivity set by Firewalla;
- Low: When choosing Low sensitivity, alarms will be generated less frequently.
As of 1.51, only abnormal upload, video activity, and gaming activity can be tuned, and each type can be set separately.
Settings for different types of alarms:
When you tap on an alarm type under Alarm Settings, there are 2 sections in alarm settings, General Setting and Specific Setting.
- General Setting is applied to all devices.
- Send Both Alarm & Notification: Both alarm and App Notification will be generated.
- Send Alarm Only: Only an alarm will be generated, but you will not receive App Notification.
- Mute All: Neither alarm nor App notification will be generated.
- Specific Setting is where you define the exception, to mute Alarms on a specific device and/or on a specific domain. All the settings created by the Mute action can be found here.
Example:
If you want to mute Abnormal Upload Alarms when your iMac is accessing subnet 12.233.11.0/24.
Solution:
- On Firewalla App or Web Interface, tap on the Alarm Setting icon in the top right corner of the Alarms page, and you'll find a list of alarm types. Tap on Abnormal Upload.
- Tap on "Mute". (If the general setting is set to Mute All, it means no alarm will be generated, so there will not be a choice to mute a specific device/destination.)
- Tap on Add Destination. Enter"12.233.11.0/24". (Destination can also be a certain IP Address / Domain.)
- Tap Next, and apply to Annie's iMac. (If you don't want to specify a device, tap on "All Devices.")
You can also tap Add Device If you'd like to mute all abnormal upload alarms on a certain device, a device group, or a network.
Currently, settings cannot be modified. If you want to modify it, delete it first and then recreate it.
Comments
15 comments
When you click on Mute in the alarm list, why does it sometimes give the option to mute for the device only, and other times give the option to mute for all devices?
Great question. I'd like to know too.
For activity or informational alarms, such as video/gaming activity, device online/offline, Firewalla provides the options to mute/block for the specific device. For security alarms, including abnormal upload alarms, the options are set to mute/block for all devices.
The reason for this limitation is that the configurations related to security alarms are considered to be more restricted than other alarms, and we couldn't provide all the combinations of IP/domains + device/all devices on the pop-up dialogue. It's a trade-off.
A more flexible version of the alarm handling design is on the way. Please be patient.
If I am not mistaken, Alarms allow '*.domain.com" syntax but rules do not.
It would be nice if the syntax were the same (and more clear in the UI).
From a user perspective, if I can be alerted to something at anything at a domain I should be able to make that into a rule.
@Michael
Sorry for the confusion, this is a display bug on Android App. Will fix it.
In fact, Mute and Block function both support "*.domain.com". If you type in "domain.com", it will be translated into "*.domain.com" and saved to the box.
Thanks @Melvin! iOS issue too.
If I get a "Security Activity" alarm that auto blocks an IP from accessing a local device because it is marked as suspicious. What happens when I "Mute Similar Activity" for "all devices"? Will the suspect IP continue to be blocked or will I just not receive a notification?
"Mute" is like ignore ...
If the action was blocked, you should not get a mute action. (only archive will show). And you can unblock if you tap on the alarm.
That does not appear to be happening.
@melvin do you get an “unblock” option on notifications if security activity? And does that apply to the one device or all?
@rob, this is likely a bug in the web interface, will ask developers to clean this up.
@Michael, Auto blocks apply to all devices. We don't provide an unblock option on the alarms because it is relatively risky to do it. But you can go to rules -> all devices -> active protect rules, and delete the blocking rule created.
Hi, for about 2 weeks I couldn't control the Firewalla app and I found all these alarms, now it shows about 365, but at least a hundred I solved them manually, so they were at least 460.
Since they are almost all "Malware Activity" security alerts and since I certainly cannot control the individual sites that are indicated to me by the Firewalla as dangerous, could it not be automatically established that the Firewalla automatically blocks all sites marked as dangerous?
Why will I block them all manually, but if I have to do it for 460 alarms I'll never finish, so you can't create an automation whereby these sites are automatically blocked?
Obviously, the solution cannot and I do not want it to be to silence the alerts, but I want to make them act automatically, without the need to intervene manually.
Is there an auto-delete/archive setting in place? Or do alerts keep building over time with no limit?
@Raul, it will be auto-deleted in 30 days.
Please sign in to leave a comment.