Being unable to access the websites and apps you want can be very frustrating and seem difficult to debug. Fortunately, Firewalla can help! Follow these steps to confirm that Firewalla is responsible for blocking the site, then resolve whatever is causing the block.

• Step 1: Verify Firewalla is blocking the site
  • Step 1.1: Turn on Emergency Access
  • Step 1.2: Turn off monitoring on the device
• Step 2: Check your block rules
  • Step 2.1: Identify the rules that are blocking the site
  • Step 2.2: Identify the blocking rule using blocked flows
  • Step 2.3: What to do after the blocking rule is identified
• Step 3: Check your block features
• Advanced Debugging

 

STEP 1: Verify Firewalla is blocking the site

Step 1.1: Turn on Emergency Access

Emergency Access instantly unblocks internet access by suspending all blocking mechanisms (monitoring and basic protection remain in place). To turn on Emergency Access:

• Go to your box's main screen -> Devices
• Tap on the device that's having problems connecting 
• Scroll to the bottom and turn on Emergency Access

You can also turn on Emergency Access globally (Rules -> "…" in the top right corner -> Emergency Access)

• Emergency Access may take some time to go into effect (due to the DNS cache). You can speed up this process by either turning the device's Wi-Fi off and on, or rebooting it.
• If Emergency Access fixes the access problem, it means that one of Firewalla's policies is blocking the site. Continue to Step 2.
• If you still can't access the site with Emergency Access turned on, go to Step 1.2.

Note: Emergency Access will suspend your customized blocking rules. Default inbound blocking and Active Protect will still work when it's on. Other blocking features won't be affected.

Learn more about Emergency Access.

 

Step 1.2: Turn off monitoring on the device

• Go to your box's main page -> Devices
• Tap on the device that's having problems connecting
• Scroll to the bottom and turn off monitoring. 

If you are running DHCP mode, you may need to turn the DHCP service on your main router back on, then turn your device's Wi-Fi off and on to let it acquire a new IP address. 

• If turning monitoring off doesn't fix the problem, you should stop and check your network (wiring, router configuration, compatibility with other devices, etc.) or contact us.
• If turning monitoring off fixes the problem, go to Step 2.

DNS Servers:

Please also carefully check what DNS servers you are using – some may filter results. If possible, trying using a more open DNS server, like 1.1.1.1 or 8.8.8.8.

 

 

STEP 2: Check your block rules

Step 2.1: Identify the rules that are blocking the site

Our Rule Diagnostics tool will tell you what rule(s) are responsible for blocking certain types of traffic. Just fill in the site you can't access and the device you're having an issue with. To run Rule Diagnostics, go to your box's main screen -> Rules  -> "..." in the top right corner -> Diagnostics.

If no rule shows up while all features listed in Step 3 are disabled, try disabling each rule one by one. Some sites will share the same IP mapping, meaning that when you block one, others will be inaccessible.

 

Step 2.2: Identify the blocking rule using blocked flows

Firewalla Blocked Flows records all the flows blocked by Firewalla. You can use it to find out which IP or domain is being blocked: 

• Try to access the site or the app blocked by Firewalla.
• Go to your box's main screen -> Blocked stats at the top of the page -> Blocked Flows -> find the flow(s) related to the app or the service. 

• When you tap on a blocked flow, you'll see the feature that caused the block at the bottom of the flow detail page (if the flow was blocked by Ad Block or Active Protect). Tap on the line of text on top of the action to configure the feature directly.

• Otherwise, you'll find a Diagnose button at the bottom of the page. Tap it to identify the rule that blocked the site. If there is a rule found, go to Step 2.3. If there is no rule found, then the connection is likely being blocked by other features. Skip to Step 3 to identify the feature. 

 

Step 2.3: What to do after the blocking rule is identified

Case 1: The rule blocks a domain required by the site

Sometimes, a site requires access to a separate domain. For example, if you can't access docs.google.com, you might see that it's due to a global block rule on ytimg.com (a resource required by Google Docs). See more examples with Google and Youtube access.

To resolve this:

• Pause or remove the rule

 

Case 2: The rule blocks a seemingly unrelated domain

Sometimes one rule will block two supposedly different sites. For example, if you can't access help.firewalla.com, it could surprise you that it's due to a blocking rule on roblox.com. This is because Firewalla by default blocks at the IP level, and blocking roblox.com will block the IP used by help.roblox.com, which shares an IP with help.firewalla.com. See this article for details. 

To resolve this:

• Pause or remove the rule, or
• Change the Block Mode of the rule to "Domain Only" 

 

Case 3: It's a category block rule

For example, you might not be able to access pinterest.com because you have a block on "All Social Sites".

To resolve this:

• Unblock "All Social Sites", or
• Remove pinterest.com and related domains from the All Social Sites category list, or
• Create an Allow rule for pinterest.com to create an exception in the "All Social Sites" block 

 See this article for detailed instructions for the example above. 

 

Case 4: It's an Allow rule

 Sometimes, Allow rules get blocked by other features. Go to Step 3.

 

Case 5: The blocking rule is applied to other devices

Check if there is a Wi-Fi extender in your network. Some Wi-Fi extenders will mix up MAC addresses while processing packets. To resolve this, try temporarily powering off the extender.

 

 

STEP 3: Check your block features

Besides rules, Firewalla has several other features that can block content. Try turning each one off and see if it makes any difference. Before testing these features, make sure to flush your DNS cache by turning your device's Wi-Fi off and on or rebooting it.

 

Ad Block

For example, some Google search results may be blocked because they are ads.

• Go to your box's main page -> Ad Block
• Turn off Ad Block globally or on the device experiencing the problem

Family Protect

• Go to your box's main page -> Family
• Turn off Family Protect globally or on the device experiencing the problem

Safe Search

For example, certain YouTube videos could be blocked due to Safe Search (see this article).

• Go to your box's main page -> Family
• Turn off Safe Search globally or on the device experiencing the problem

DNS Over HTTPS (DoH)

Sometimes, DoH does some filtering. The results returned are not always consistent from provider to provider.

• Go to your box's main page -> DNS Service
• Turn off DNS over HTTPS (DoH) or change its server

Active Protect

As a last resort, you can try turning off Active Protect. However, if a site is blocked by Active Protect, chances are it shouldn't be trusted.

• Go to your box's main page -> Settings -> Features -> Active Protect

 

Advanced Debugging

If you need more powerful debugging techniques, see Rule Debugging and use of tcpdump.

 

Need Help?

If you still cannot resolve the problem, please feel free to open a support case. We guarantee a response in less than 24 hours.