Congratulations on your new Firewalla device! Whether you're completely new to the world of networking or an experienced cybersecurity expert, Firewalla has something to offer you. This guide will go over Firewalla's basic protections, easy first steps to secure your network, and more advanced configurations to take your network to the next level.

1. Initial Installation
   1. Back up your QR code
   2. Lock Access to your Firewalla
   3. Secure Access to the App
2. Firewalla's Default Protections
   1. Active Protect
   2. The Default Ingress Firewall
   3. Alarms
   4. See Your Flows and Open Ports
3. Tune Your Firewalla
   1. Active Protect Strict Mode
   2. Muting Alarms
   3. Dealing with MAC Randomization
   4. Data Usage
4. Starting with Firewalla: Easy First Steps
   
   1. Take an Inventory of your Devices
   2. Auto-Configuration Wizard
   3. Ad Block
   4. Smart Queue
5. Exploring Firewalla's Features: Simple Things To Try
   1. Managing Kids and Employees – Family Protect, Users & Time Limits, Rules
   2. Privacy Protection – DoH and Unbound
   3. A Trusted LAN Everywhere – VPN Server and VPN Client
   4. A Better Network – Internet Speed and Quality, Policy-Based Routes
6. Leveling Up: Advanced Configurations
   1. Multi-WAN
   2. Network Segmentation
   3. Scan
   4. Firewalla MSP and the Firewalla Web Interface
      
7. FAQs

 

To get started with your Firewalla AP7, see here: Getting Started with Firewalla Access Point 7

 

Here are some other resources you might find helpful:

• Our complete User Manual
• Our Troubleshooting Guide
• Our YouTube Channel
• Our Support Site, where you can find more articles and community-based contributions
• Our Weekly Newsletter

 

Firewalla is controlled via our iOS or Android app. Here is a 3-minute overview of what it can do.

 

 

1. Initial Installation

Before you can start optimizing your network, you need to make sure your Firewalla is set up in a fundamentally secure way. 

 

1.1 Back up your QR Code

The QR code at the bottom of your unit is the unique key to your Firewalla software license. If you lose it, we may be unable to help you recover it. Additionally, if someone else gets your QR code and has physical access to your Firewalla, they can pair with your unit. We recommend that you back up your QR code by taking a picture of it.

 

1.2 Lock Access to your Firewalla

If you have smart kids around the house and your Firewalla is not locked down, you should remove the Firewalla QR code sticker (the one used for pairing) and store it securely. This will prevent smart kids from pairing with the unit and causing trouble.

You can check and control who's paired with your Firewalla by going to Box Settings -> Advanced -> Paired Phones. Tap on any of them to unpair. 

 

1.3 Secure Access to the App

If other people can access your phone, you can enable Kid Lock to secure the app with a Touch ID, Face ID, or a PIN.

 

2. Firewalla's Default Protections

As soon as your Firewalla is plugged in and running on your network, it's already started securing your devices. Firewalla comes pre-configured with some powerful features that will show you important information about your network and keep you protected.

 

2.1 Active Protect

Active Protect is Firewalla's built-in Intrusion Detection and Prevention Service (IDS/IPS). It automatically detects suspicious activities, blocks high-risk connections, and alerts you with alarms and notifications when it identifies abnormal activities. You don't need to turn Active Protect on – as soon as your Firewalla is installed, it will start shielding you from cyberattacks.

 

2.2 The Default Ingress Firewall

If you've had a chance to explore the Firewalla app, you might've noticed there's already a rule set up called "Block Traffic from the Internet". This is Firewalla's default ingress firewall, and it blocks all traffic attempting to intrude into your network. It won't interfere with your own network activity. For your safety, do not pause or delete this rule.

 

2.3 Alarms

Your Firewalla box automatically analyzes network traffic and raises Alarms when it detects certain activities, such as:

• Possible cyberattacks
• Abnormal uploads
• Gaming
• Video streaming
• And more!

To see your Alarms, tap the Alarms icon on your box's main page. You'll see a list of your Alarms, sorted chronologically. You can tap on any Alarm to see specific details about it.

 

2.4 See Your Flows and Open Ports

Firewalla will automatically show you important information about your network.

• Network Flows are a history of all inbound and outbound traffic on your network. Firewalla can show you the name, location, and reputation of the servers your devices are connecting to, as well as other helpful information.
• Local Flows display all traffic between devices within your network. If you have multiple local networks and your Firewalla box is in router mode, it can display traffic between different LANs or VLANs. If you have the Firewalla AP7, it can display all traffic between wireless devices
• Additionally, Firewalla can detect any ports on your router that are open to the world. Tap the Open Ports button on the Firewalla app to see all ports that are reachable from the internet.

 

 

3. Tune Your Firewalla

Before you start playing with Firewalla's features, you might find it helpful to make some small adjustments so your box fits your needs.

 

3.1 Active Protect Strict Mode

Firewalla offers two different configurations for Active Protect: Default Mode and Strict Mode. While Strict Mode checks Firewalla's cloud database of security intel more often, this also means it may raise more false positives. However, if you'd like an extra layer of protection, you can turn Strict Mode on by tapping More -> Active Protect -> Mode -> Strict.

 

3.2 Muting Alarms

Depending on the level of activity on your network, you may find that your Firewalla is raising more alarms than would be useful. Fortunately, you can mute whatever alarms you want to.

To mute a specific alarm, just tap the Mute button on the alarm. This will stop Firewalla from showing you new alarms that match the alarm you're muting.

 

To mute an alarm category (e.g. all Video Activity alarms or all New Device alarms), tap Alarms -> Alarm Settings -> select an Alarm Type -> tap Mute All. 

• You might notice that some alarms, such as Abnormal Upload alarms, are slightly delayed from at which the activity they're flagging occurred. This is because our alarm detection algorithms need time to run.

 

3.3 Dealing with MAC Randomization

MAC randomization is a feature that periodically changes a device's MAC address, making it harder to track and identify the device. While it's useful when you're on a network you don't trust, MAC randomization makes it difficult to monitor and control network access effectively. To get the most out of your Firewalla network, make sure MAC randomization is off on all your devices. For detailed instructions, see our article on turning off MAC randomization.

 

3.4 Data Usage

If your ISP has set a data cap for your network, Firewalla can help you keep track of your data usage and prevent unexpected overages. Simply tap on the Data Usage feature and enter your ISP's limit. Firewalla will notify you if you're coming close to your data cap.

 

 

4. Starting with Firewalla: Easy First Steps

Customizing your network can be intimidating, but Firewalla makes it easy. With just a few taps, you can quickly improve the security, performance, and overall experience of using your network.

 

4.1 Take an Inventory of your Devices

Once you have Firewalla set up, you can see a list of all your connected devices by tapping the Devices button on your box's main page. Make sure you know what each device listed is. You can easily rename your device, assign them a different device type, and/or group similar devices together so they're easier to manage.

 

4.2 Auto-Configuration Wizard

The Auto-Configuration Wizard helps you set up key features by asking you a few simple questions about your network. It covers:

• Smart Queue
• Data Usage Caps
• Network Quality Monitoring
• Security Features

To activate the Auto-Configuration Wizard, navigate to Features by tapping on the + icon at the bottom of your main page, then tap on Customize Now.

 

4.3 Ad Block

Ad Block stops ads on web pages and mobile apps. It also helps prevent ad providers (such as Google, Amazon, Facebook, etc) from tracking your web browsing habits. To turn on this feature, tap the Ad Block button on the main page, then toggle it on.

 

4.4 Smart Queue

Smart Queue helps you reduce network lag and prioritize important traffic, such as video calls. To enable it, just tap the Smart Queue button on your box's main page and toggle it on. Smart Queue will automatically start decongesting your network. You can optionally add specific Smart Queue Rules to prioritize traffic.

 

 

5. Exploring Firewalla's Features: Simple Things To Try

Before continuing, to learn more about how to get the most out of your box, check out our 3-part series on securing your network with Firewalla:

1. Visibility
2. Control
3. Protect

Once you feel more comfortable navigating the Firewalla app, you can tailor your network to your home or business.

 

5.1 Managing Kids and Employees – Family Protect, Social Hour, Rules

If you're managing your kids' or employees' network experience, Firewalla can help you make sure they only get access to what you want them to see.

Firewalla's Family features are great for blocking offensive content for kids or for maintaining a professional workplace network.

• Family Protect filters out unwanted content across your network. If you choose Native mode, you can fine-tune what exactly is blocked.
• Safe Search prevents pornographic and offensive content from appearing in search results.
• Social Hour blocks all internet connections on personal, media, and entertainment devices for one hour.

 

Firewalla's Users feature can show you when, what, and for how long people are watching videos or playing games on your network. Additionally, you can set time limits to control how long a User has access to certain apps.

 

If you want to set more specific limits on what your kids or employees can access, you can use Rules. For example, you can set up a rule blocking YouTube after 9 PM on all your kids' devices to enforce bedtime and stop them from sneaking screen time in.

 

5.2 Privacy Protection – DoH and Unbound

If you're interested in stopping hackers and other curious parties from peeking at your online activity, Firewalla offers some easy-to-set-up defenses.

If you're concerned about the privacy of your DNS requests, try turning on DNS over HTTPS (DoH) or Unbound. DoH encrypts your DNS requests, while Unbound is a DNS resolver that can be a more trustworthy alternative to upstream DNS servers. Toggle them on by tapping the Services button on your box's main page.

 

5.3 A Trusted LAN Everywhere – VPN Server and VPN Client

Whether you're on vacation in a different country or just at a cafe down the block, Firewalla's built-in VPN Server and VPN Client can ensure your devices are always using a trustworthy connection no matter where in the world you are.

The Firewalla VPN Server keeps you secure by linking your devices back to your Firewalla from anywhere in the world. Just turn it on and start connecting your devices to it.

 

Additionally, Firewalla's VPN Client makes it easy to get your whole network on one VPN connection. Whether you want to connect to your Firewalla VPN Server or a different 3rd-party VPN service, our VPN Client can help you set up any VPN connection seamlessly.

 

5.4 A Better Network – Internet Speed and Quality, Policy-Based Routes

If you're concerned about the reliability and availability of your network, Firewalla can help you prioritize and streamline your traffic for the best performance possible.

You can get an overview of your Internet speed and quality by tapping the Network Performance widget at the top of your box's main page. Knowing your Internet speed, latency, and packet loss can help you get a baseline for your network and troubleshoot performance issues.

 

Additionally, you can see the real-time quality of your Wi-Fi connection (the speed between your phone and your Firewalla box), by connecting to your box's local network and tapping the Wi-Fi Test button on your box's main page.

With the Firewalla AP7, you can see additional stats, including the access point, channel, and frequency band your phone is connected to.

 

Firewalla Routes let you specify how traffic travels through your network so you can do things like send work-related traffic over your company's VPN only. To set up a Route, tap Routes on your box's main page, then tap Add Route.

 

 

6. Leveling Up: Advanced Configurations

If you're an experienced networker looking to further elevate your performance and security, Firewalla supports some more complex configurations. Note that these features may require additional hardware.

 

6.1 Multi-WAN

While most users will only have one WAN connection, two WAN connections can be useful if:

• Your primary internet is not stable and needs a backup internet connection.
• Your primary internet is slow and needs another line for bandwidth and redundancy.

Firewalla's Multi-WAN feature helps you manage a maximum of two WAN connections in either Failover or Load Balance mode.

• In Failover mode, a standby network takes over when the active connection fails, ensuring the availability of your Internet connection.
• In Load Balance mode, traffic is distributed across multiple networks. This helps improve the responsiveness of your Internet connection and ensures no single network gets overloaded.

With the Firewalla Wi-Fi SD, you can use your phone's Wi-Fi hotspot as a backup network if your main network is down. The Firewalla Wi-Fi SD is compatible with all Gold units and the Purple SE.

 

6.2 Network Segmentation

Every device shares the same network in a typical home or small business. This means that each device can freely see and communicate with one another. However, not all devices are the same– for example, you may want to isolate IoT devices to reduce the risk of security breaches or apply an extra level of protection to guest devices. With Network Segmentation, you can split your devices among different networks to meet your performance and protection needs.

With the Firewalla AP7, you can take network segmentation even further through microsegmentation. VqLAN can be enabled on any Firewalla group or user with just a tap, instantly blocking all traffic outside the group. When VqLAN is active, you can take microsegmentation a step further with Device Isolation, completely isolating each device within the group from communicating with one another, while still allowing internet access.

 

6.3 Scan

Firewalla's Scan feature helps you protect your devices by identifying potential weaknesses, such as open ports or weak passwords. With just a couple of taps, you can easily run External Open Port scans, System Vulnerability Scans, and Device Open Port scans.

 

6.4 Firewalla MSP and the Firewalla Web Interface

If you're a networking or IT pro, we offer Firewalla MSP, a Managed Security Portal designed for security and infosec professionals to easily manage multiple Firewalla boxes remotely. You can learn more about all its capabilities and features in our article about Firewalla MSP.

 

We also have the Firewalla Web interface, a tool that complements (not replaces) the mobile app. It's a simple way to monitor your devices from your desktop.

 

 

7. FAQs

While we have a full list of FAQs, here are some that you might find useful while learning to use your Firewalla.

• How can I locate my home IP address?
  Firewalla includes a free DDNS service, which you can use to locate your home IP address dynamically. Learn more about DDNS.
  
  
• How can I rename my Firewalla Box?
  If you have multiple Firewalla boxes installed, you may find it useful to rename your box to something that can be easily identified. Here's how to rename a Firewalla Box.
  
  
• Can multiple people manage one Firewalla box? Can I manage multiple Firewalla boxes?
  One Firewalla box can be managed by multiple phones and one app can manage many Firewalla boxes. Here is how to add another phone to Firewalla. If you want to pair your phone with another Firewalla, tap the "+" symbol on the Firewalla home page and follow the instructions.
  
  
• How can I access my devices using local domains instead of IP addresses?
  Please read our example of how you can use your local domain names.
  
  
• How do I know that my Firewalla is working?
  Here's a guide on how to validate and test Firewalla features.
  
  
• What can I do if I want to upgrade or replace my Firewalla box?
  You can easily migrate your data and configurations from one Firewalla box to another, provided the box you're migrating to has the capabilities to handle your configurations.
  
  

• I accidentally deleted my Default Ingress Firewall. How do I get it back?
  If you accidentally delete the ingress firewall, you can easily restore it by setting the rule again. Tap into the Rules page from your box's main screen, then tap Add Rule

  • Action: Block
  • Matching: Internet -> Traffic from Internet
  • On: All Devices
  • Schedule: Active Time

  Don't forget to Save your rule to finish setting it.

   

• How do I identify the devices on my network?
  You can use context clues to figure out what the devices that appear in your Devices list app are. Tap on the device to see what Firewalla has detected about its name, device type, and manufacturer. Additionally, you can try restricting network access for that device and seeing which of your devices starts experiencing issues. If you still can't identify the device, it may be best to block it from your network entirely.
  
  

• I have a question/idea/concern that's not in this article. Who can I talk to?
  We encourage you to check out our forums – our awesome community of Firewalla users is great at answering questions and coming up with interesting solutions. If you have a feature request, please leave your idea in a post in our dedicated Feature Requests forum. Our Reddit community and Facebook page can also be helpful resources.