How to validate Firewalla features?

Below are suggestions for validating that various Firewalla features are working properly. For features with "*", you can utilize https://diag.firewalla.com/ to quickly validate, by opening the tool in a browser and check for results in section "Block Validation". 

• Ad Block*
• Family - Family Protect
• Family - Safe Search
• Family - Social Hour*
• DNS over HTTPS (DoH)
• Unbound
• Malware Activity - Alarm
• Active Protect - Strict Mode*
• Video Sites Blocking Rule*
• NTP Intercept
• VPN Client
• VqLAN and Device Isolation 
• Suricata
• Device Active Protect (DAP)

Ad Block

Check if you can see ads on this site: https://ads-blocker.com/testing/

To test if Strict Mode is blocking more ads, try comparing the block rate before and after switching to Strict Mode using Firewalla's diag tool, see "Block Validation" section: https://diag.firewalla.com/

Family - Family Protect

If you're using 3rd-Party Mode Family Protect, visit this site to confirm that OpenDNS is running: http://welcome.opendns.com/

If you're using Native Mode Family Protect, you can test each feature you have enabled by attempting to visit or use the categories/services you have blocked.

Family - Safe Search

Search 'porn' in Google with Safe Search on. You will see different results than if Safe Search were off. You may need to use an incognito window to be sure the cache is clear to see the change immediately. 

Family - Social Hour

Visit https://facebook.com. You should not be able to if Social Hour is enabled. 

Check results in "Block Validation" section: https://diag.firewalla.com/

DNS - DNS over HTTPS

To validate DoH, you need to use the DoH provider's test: 

• Cloudflare: https://1.1.1.1/help
• Quad9: https://on.quad9.net
• Google: https://dns.google
• OpenDNS: https://umbrella.cisco.com/doh-help

Keep in mind: 

1. Browsers may cache results, so clear your cache or use an incognito window. 
2. If you select multiple DoH providers any given DNS test may go through a different provider. So to test, try selecting only one provider. 

DNS - Unbound

Open https://dnsleaktest.com/. Run a standard test. If the IP in the test result is your public IP, it means Unbound is enabled. You can find your public IP using https://ipinfo.io/ 

Open https://en.internet.nl/ and start a test using "Test your connection". You are looking to see whether or not domain signatures (DNSSEC) are validated and if you are protected against false translation from signed domain names into rogue IP addresses.

Malware Activity - Alarm

Note: some tests may require you to clear your DNS cache. You can do this by turning Wi-Fi off and on.

# Expect an alarm to be generated.
http://malware.wicar.org/data/eicar.com 

# Expect an alarm to be generated.
http://examplebotnetdomain.com

Note: these are just test files (no real damage). However, your browser may attempt to stop you from downloading the test malware file, so you may have to accept the risk in your browser to continue downloading.

You can also access these URLs via the command line:

$ curl http://malware.wicar.org/data/eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

$ curl http://examplebotnetdomain.com

Note: Sometimes you may need to download multiple times, as the test file is too small to trigger the threshold.

Active Protect - Strict Mode (1.973 or higher)

By default, Firewalla auto-blocks high-risk malware sites. To extend it to broader malware sites, including non-high-risk malware sites, you need to turn on Active Protect Strict mode. This requires Box version 1.973 or above.

Note: some tests may require you to clear your DNS cache. You can do this by turning Wi-Fi off and on.

Once in Strict mode, check results in "Block Validation" section: https://diag.firewalla.com/

Or use your browser to visit these sites. 

# Expect an alarm will be generated, but the file will still be downloaded 
http://malware.wicar.org/data/eicar.com 

# Expect an auto block alarm will be generated. This test site is 
http://examplebotnetdomain.com

These are just test files (no risk to trying these). However, your browser may attempt to stop you from downloading the test malware file, so you may have to accept the risk in your browser to continue downloading.

• For the first URL, the test site is purposely set to be considered we don't know is risky. Therefore, we don't block, we alert you to decide what to do. 
• For the second URL, we purposely marked the test site as high risk and so the download is blocked completely. 

You can also access these URLs via the command line:

$ curl http://malware.wicar.org/data/eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

$ curl http://examplebotnetdomain.com
curl: (6) Could not resolve host: examplebotnetdomain.com

Note: Sometimes you may need to download multiple times, as the test file is too small to trigger the threshold. 

Video Sites Blocking Rule

Try to play YouTube videos.

Check results in "Block Validation" section: https://diag.firewalla.com/

NTP Intercept

Here's how to verify the NTP Intercept feature. 

1. Open a terminal.

2. Confirm NTP works normally by asking your device to query an NTP server. It should return the offset time of the system clock with respect to the server clock. Paste in one of the following commands, depending on your OS:
   
   Windows: 

   w32tm /stripchart /computer:pool.ntp.org /samples:5 /dataonly

   Linux (depends on your distribution):

   ntpdate -q -p 1 pool.ntp.org

   macOS:

   sntp pool.ntp.org

   
   Example Output

   +0.063951 +/- 0.071033 pool.ntp.org 65.100.46.166

   
   
    

3. Once you have confirmed NTP is normal, ask your device to query a fake NTP server (Firewalla has set one up at not_ntp_server.firewalla.com). NTP request to fake server will also be intercepted and processed locally, so NTP should succeed even with a fake server. If it fails, it means the NTP Intercept may not work.
    
   Windows: 

   w32tm /stripchart /computer:not_ntp_server.firewalla.com /samples:5 /dataonly

   Linux (depends on your distribution):

   ntpdate -q -p 1 not_ntp_server.firewalla.com

   macOS:

   sntp not_ntp_server.firewalla.com

   
   Example output if the feature is on and working:

   +0.010029 +/- 0.075112 not_ntp_server.firewalla.com 198.18.254.254

   
   Example output if the feature is off or not working:

   sntp: Exchange failed: Timeout
   
   sntp_exchange {
           result: 6 (Timeout)
           header: 00 (li:0 vn:0 mode:0)
          stratum: 00 (0)
             poll: 00 (1)
        precision: 00 (1.000000e+00)
            delay: 0000.0000 (0.000000000)
       dispersion: 0000.0000 (0.000000000)
              ref: 00000000 ("    ")
            t_ref: 00000000.00000000 (0.000000000)
               t1: E92641FC.BD67EC78 (3911598588.739866999)
               t2: 00000000.00000000 (0.000000000)
               t3: 00000000.00000000 (0.000000000)
               t4: 00000000.00000000 (0.000000000)
           offset: FFFFFFFF8B6CDF01.A14C09C400000000 (-1955799294.369933605)
            delay: FFFFFFFF16D9BE03.4298138800000000 (-3911598588.739867210)
             mean: 0000000000000000.0000000000000000 (0.000000000)
            error: 0000000000000000.0000000000000000 (0.000000000)
             addr: 198.18.254.254
   }

VPN Client

If you have a device configured to use Firewalla VPN Client, try visiting a site such as http://ipinfo.io to see if your IP address matches the VPN (or your own public IP address). 

VqLAN and Device Isolation 

If you have the Firewalla AP7 and have enabled VqLAN or Device Isolation on a group or device, try to ping the isolated device from a separate Windows, Linux, or Mac device. 

1. Identify the IP address of the device you'd like to test from the Devices list.
2. From a separate device on the same network, open a terminal or command prompt. If testing VqLAN, ensure that the separate device is not within the same VqLAN group.

3. Run the following command, replacing the IP address with the device IP address:

   ping 192.168.1.100

The ping statistics should show 0 packets received. 

To compare with a non-isolated device, try pinging an IP address without VqLAN or Device Isolation enabled. This should return responses with received packets.

Suricata

Suricata on Firewalla uses deep packet inspection to detect potential malware activity that matches its signatures. To verify that the Suricata engine is running on your box, run the following command on your PC or laptop to generate a packet matching one of Suricata’s signatures:

echo -n -e "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x32\x32" | nc -u -w1 4.3.2.1 54321

If you are using Windows, you can also try running the following command in PowerShell: 

$data = [byte[]](0,0,0,0,0,0,0,0,0,0,0x32,0x32); (New-Object System.Net.Sockets.UdpClient).Send($data, $data.Length, "4.3.2.1", 54321)

Then, go to your Box’s main screen → Alarms, and check if a Security Activity alarm was generated for your device accessing 4.3.2.1. If you see the alarm, it confirms that Suricata is capturing abnormal packets in your network. Note that if you repeat this test frequently within a short period, Firewalla may only generate one alarm.

Note: This is just for testing purposes. IP 4.3.2.1 and port 54321 can be any random IP/port.

Device Active Protect (DAP)

Device Active Protect (DAP) will automatically allow specific targets by determining which connections are necessary, and block all other traffic on certain IoT devices. To verify if DAP is working, you can use the Rule Diagnostics tool to test if certain domains are allowed or blocked.

1. From your box's main screen, tap Rules > tap Options (...) in the top right corner > tap Diagnostics.
2. For the website, enter any site. Test out random sites that your device should never access, and known sites that your device may need for connectivity.
3. For the device, select a known eligible device in the Optimizing phase of DAP.

To find your known allowed sites and eligible devices, tap Protect > Optimizing > tap into a device in the Optimizing phase.