The Firewalla Web Interface is a complementary management interface to the mobile app. The goal is to provide:
- A richer and more in-depth view of your network
- Some of the more complex operations that are not possible on the mobile app
- A quicker way for us to deploy features ahead of the mobile app
Dashboard
Devices
Edit Device Name or assign to Group directly from the Device list:
Alarms
Mute any type of alarms on a specific device or all devices:
Flexible Search and Bulk Action
Search anywhere and take action on multiple items at once:
Target List
Target lists allow you to create your own list using IP or domain address; this list can be used to create rules to block, allow, or prioritize a group of targets. If you have a lot of rules, this feature can help you to organize them.
- Target Lists can only be created and managed using the Firewalla Web interface.
- Target Lists can be applied via the Web or App.
- Target List items are restricted to 200 items
- Domain
- IP
- IP Range
- You can only create up to 20 target lists
Export
Export devices/alarms to a .csv format file.
Flows
Note, If you filter for different fields (device, destination) the results are AND. So
Direction:Outbound BlockedBy:"IP Filtering"
means all flows that are outbound AND Blockedby:"IP filtering". If you only wanted flows that were outbound AND blocked by IP filtering AND had a specific destination, you could add:
Direction:Outbound BlockedBy:"IP Filtering" Destination:184.169
If you use multiple queries using the same field, it is an OR. For example:
BlockedBy:"IP Filtering" BlockedBy:"TLS Filtering"
Region:"United States" Region:"China Mainland"
Device:"Mom's iPhone" Device:"Dad's iPhone"
What products does it support?
The web interface is supported on:
- Firewalla Gold, Firewalla Gold SE, Firewalla Gold Plus
- Firewalla Blue, Blue Plus
- Firewalla Purple, Firewalla Purple SE
It is not (officially) supported on Firewalla Red (it may or may not work)
How to access it
- From your web browser, go to https://my.firewalla.com. You will see a QR code displayed on-screen.
- From your Firewalla app, turn on the camera for scanning. You can do this in two ways:
- Tap the gear icon on the top right of the page. Tap Open In Desktop Browser.
- Tap More from your box's main page. Tap Firewalla Web.
- Use the phone to scan the QR code displayed on your browser in step 1. You will then be logged into the web and directed to the dashboard page.
How does it work?
The web interface is hosted on a central server in Amazon AWS. There is no data stored in permanent storage on this server. Its primary role is to bridge the data from your Firewalla boxes to the web interface.
- No permanent storage of your data
- Data is always streamed dynamically from your Firewalla box
- Data is dynamically decrypted and stored in memory
- After you scan the QR code, some pieces of data may stay in memory for up to 24 hours, or until the login expires.
What role does the web interface play?
This interface will always complement the mobile interface.
Why not have the interface local to the Firewalla box?
A cloud-based web interface will allow us to release features much faster. Each Firewalla box release takes around 3 to 5 months. We did a monthly data overview feature on the web, and it took us 2 days to release the UI.
From a software architecture perspective, having the UI layer outside of the firewall will likely make the firewall more efficient and secure.
Why do I need to scan the QR code to log in?
In Firewalla, there is no username and password. Everything is based on public key/private keys (Firewalla has end-to-end encryption enabled). When you log into the web interface, the authentication part is the private key stored on your phone. This enables the web interface to decrypt your flow data (and is the reason for the QR scan).
Since we are security people, we do not want this decryption capability in the web server forever, so the web server will wipe its memory after a few hours of usage.
We are also working on other ways to log in, but they will still involve the app.
Can you replicate all the mobile app functions on the Web Interface?
Not until the web interface is widely used. It is extremely expensive (and time-consuming) to keep three different UI (iPhone/Android + Web)
Can I log into the Web interface from offsite?
Yes. As long as you have a paired phone, you can log in anywhere.
Can I manage multiple boxes from the web?
If you're an IT professional or a home user looking for a more heavy-duty web interface, try our Managed Security Portal (MSP). Firewalla MSP makes it easy to securely manage multiple Firewalla boxes from anywhere with features like:
- A private domain
- Two-factor authentication
- Box update management
- Reporting and Extended logging and analytics
- Programmable APIs/Webhook/Slack/IFTTT integration
- VPN Mesh
- Email-based login
You can sign up for Firewalla MSP here. All plans include a discounted 6-month trial. Learn more in our Firewalla MSP introduction article.
If you have any issues, please contact us: https://help.firewalla.com/hc/en-us/articles/360049896733
Comments
18 comments
The web interface is outstanding - very intuitive. Will there be a way to create (various) user-created filters that removes "mundane" IP traffic from the traffic list generated in "Insights"? Various filter lists could be created with Destination IPs and ranges of destination IPs to include or exclude. A filter list could also be added to be selecting the Destination IP addresses on the web page and adding them to a given filter so that the Destination IPs are included or excluded when the filter is applied. I imagine using this more to exclude mundane IP traffic so I can see the more unusual accesses in the Insights list. Many thanks,
@richard, make sense. Will ask our developers to create an issue on this.
This is AWESOME. I just installed my firewalla 2 weeks ago and running the iOS interface on my ipad was making me so crazy that I was going to inquire about returning the device!
An obvious addition I hope will be the general ability to manage the network settings through the web. Right now, it seems like the web interface is primarily a portal to view info
Areas that I especially like:
The Devices screen! This is SO MUCH easier than looking through the device list on the ipad! I love being able to click on the device and getting full details on it. But, why can't we edit the network information for devices here? It looks like we can add rules, but I'd like to manage the DHCP reservation here. The device screen seems like an obvious location to go to to manage these settings. For instance, I have a bunch of devices that need to have reserved IP addresses. Doing that on the iOS interface was frankly a collossal PITA, but on the web interface, it could be dramatically easier if you allowed editing there
Having it locally would have a massive boost in responsiveness. FWG to AWS to desktop, round trip is unwarranted.
The web server on the local FWG could be updated as per existing schedule or with a separate package and versioning.
Please do think about having it locally.
Hello folks,
I love the firewalla web interface (with its limitations) and I use quite often. But I am struggling stupidly to manage more than one box from the firewalla web interface.
If I press over "manage boxes" I have no option to add a second box. Neither I can from the phone app main screen. How is it done? Thanks.
You will have to login via the other box to manage it. The web interface to manage multiple units is not yet ready for prime time (as of the time of this message)
Thanks for the prompt reply. While I am unsure about what you mean by that, the only way I found is to use an incognito mode to open the second one. I thought It was implemented, thanks.
Cheers.
I really appreciate Firewalla devoting resources to a having web interface in addition to the phone apps for many reasons, including having a larger screen to view more information at once, exporting logs/events/etc, and what looks like a big picture goal of a user being able to import configuration settings lists such as the block list, and generally being able to save time.
My compliments to the Firewalla devs for adding onto your existing development workloads what seems like an entirely new dimension of development, and making it all look easy in the process lol, considering how well formed and smooth it is already, particularly given how young this new long-term development effort is.
Thanks! I look forward to continue trying new features and watching it grow.
Please continue to invest time and resources to allow the Web interface to have all of the features and not just complement the mobile GUI, but allow full autonomy and independence. Myself and I believe many tech-savvy users use web GUI interfaces for many applications and servers and would benefit greatly from a well-defined and independent, feature-full web GUI.
Thank you!
I love the work on the web interface. Will a different login method ever be implemented? I spend a good portion of my day in an area without my phone. At times it would be nice to sign-in with user and password. Having another form of 2FA would be nice. Thanks!
I really enjoy the Purple and Gold products and look for better ways to use them for myself and others. That said, I have noticed that the MSP interface shows an events view that is missing on the desktop browser interface designed for non-MSP folk. However, the events are visible in the mobile app.
This is an issue as internet events used to generate alarms that the admin could take action on, but now do not seem to raise any alarms. They are noted as events, but there is no other notification. Such events are just noted silently and hope they are discovered by someone looking.
One more vote here for making the Web interface the primary control source for Firewalla. The phone screens are too small. Very difficult to read. Not much room for a lot of information.
The WebUI has lots of room. And my computer screens are much easier to read and interact with. The current WebUI is well behind the phone interface. Hopefully you can get it up to speed shortly.
And making the login process easier would be great. And allow the login to be semi permanent would be a big improvement.
Could not agree more with the last comment. Upvoted
And let me leverage this same comment to request the inclusion of target list management within the mobile app. It is a big pain not being able to include one new IP to one list on the go, because they can only me modified through web interface or MSP. Thanks.
I would like to add a feature request where clicking on Open in Desktop Browser would allow you to also open the web interface from the same mobile device itself without requiring a second device to scan a QR code with. That way I could either use the app or the browser from the same mobile
Web "Security Lookup" vendors to Match the Mobile Apps
Can we have the number of Security Lookup vendors match what we have on the Mobile Apps.
Makes it easier when trying to go through 30,000-50,000 Log Entries a day via the Web Portal and deciding to Block or Allow connections.
Domain Security Lookup Missing in Web App - VirusTotal, Shodan, AbuseIPDB, Hurricane
IP Security Lookup Missing in Web App - VirusTotal, Shodan, AbuseIPDB, Hurricane, GreyNoise
I appreciate your statement about a full web interface being local. But not having a local web interface at all makes specific scenarios (like diagnosing and changing internet connection properties) more difficult than it could be.
The Unifi USG took an approach where the local web interface just contained some very core things: Port configuration, status, IP address, Internet connection settings, reboot. That way you can get the device connected to the internet and diagnose issues without the current dancing around you sometimes need with bluetooth/connecting via another router just to commission
Your phone app is still the main interface, and if the internet is down, it has the ability to configure the firewalla via Bluetooth. (which is likely can't be done with anything 'local')
Yes, I understand this - and I'm suggesting a local web interface with some key settings to allow you to get online would be better from a commissioning and diagnostic point of view - rather than have to get near the device and use bluetooth.
Please sign in to leave a comment.