Firewalla: New Device Quarantine

New Device Quarantine allows you to automatically monitor and control unknown, potentially dangerous devices on your network.

1. What is New Device Quarantine?
2. How do I enable New Device Quarantine?
3. What can I do with New Device Quarantine?
4. How do I identify unknown devices?
5. How do I know if I can trust a device?
6. How do I release devices from the Quarantine Group?

What is New Device Quarantine?

With New Device Quarantine turned on, every new device that joins your network will be automatically placed into a Quarantine Group and an alarm will be generated.

• Set custom rules and policies for the Quarantine Group
• Have full visibility over quarantined devices
• Freely remove devices from the Quarantine Group

Some use cases for New Device Quarantine:

• Lock down devices that randomize MAC addresses (e.g. clever kids trying to get around your rules and policies)
• Monitor all unknown devices for unusual or suspicious behavior

Note that Firewalla will recognize devices with MAC randomization (e.g. iOS 14+) as new devices every time the MAC address is changed. This makes New Device Quarantine a good way to prevent devices from getting around your rules and policies. If you don't want your device to be quarantined every once in a while, you'll have to disable the random MAC feature on your device.

Disclaimer: Firewalla is a router and firewall. It cannot control LAN traffic of devices on the same network. This means that Firewalla will not be able to restrict traffic generated by quarantined devices to other devices on the same LAN. If you do want to restrict LAN traffic, Firewalla supports network segmentation.

How do I enable New Device Quarantine?

• Go to your box's main page.
• Scroll down and tap on the "+ " more button.
• Tap on New Device Quarantine and turn it on.
• Go back to the main screen and tap on Devices. You'll see a new Quarantine Group.
• You can apply New Device Quarantine to specific networks on Firewalla Gold and Purple.

What can I do with New Device Quarantine?

New Device Quarantine creates a Quarantine Group with two pre-defined rules to block new devices from accessing the internet and other segments of your network.

• Block Traffic from & to Internet
• Block Traffic from & to All Local Networks (Gold/Purple Only)

You can treat the Quarantine Group like any other device group. This means you can:

• Add or modify the default rules
• Add or remove members from the group
• Set Routes for traffic from the group
• Send the group's traffic over a VPN using the VPN Client

How do I identify unknown devices?

Sometimes a new device appears on your network and it isn't obvious what it is. This is especially true when a device uses a private or random MAC address – we recommend disabling private MAC on your devices as a best practice. Here are some general tips to identify devices: 

1. If the device isn't quarantined, try putting it into the Quarantine Group to limit its ability to connect. This may help you quickly identify the device. 
2. Look at its network flows. The device's traffic may give you hints about what it could be.
3. Check the MAC address. If the MAC is not random, or you aren't sure, look it up using MAC vendor lookup and see if the manufacturer is a clue as to the device's identity. Note that in a random MAC address, the second digit will always be a 2, 6, A, or E and the rest of the address will be entirely random. For example:

   x2:xx:xx:xx:xx:xx
   x6:xx:xx:xx:xx:xx
   xA-xx-xx-xx-xx-xx
   xE:xx:xx:xx:xx:xx

4. Don't overlook IoT devices like switches and appliances or wearables like watches. Sometimes they join a network by "invitation" from another device, such as a paired phone.
5. Check the for patterns in the time the device joins or leaves the network. It may match when someone is home or not, which can be a clue.

How do I know if I can trust a device?

New Device Quarantine allows you to keep tabs on new devices and limit their access so their risk profile is small, giving you the time and confidence to decide if they're trustworthy. Let unknown devices run for a while and use Firewalla to observe what their normal behaviors are.

"Nice" devices

Devices are more likely to be trustworthy if they send data to secure servers like Amazon's AWS because this often means they have strong data security features.

IoT devices typically require very little internet access – they may only talk to just one or two domains when operating as designed. After observing what servers your IoT devices need access to, you can set rules to only allow access to those servers so that if they are ever compromised by malware or ransomware, they can't send data anywhere else. 

"Naughty" devices

Many devices lack the architecture and quality control to ensure secure data handling. These unintentional flaws leave devices open to being compromised. In other cases, devices may be harvesting your data without asking you for permission. If you're concerned that some of your devices are untrustworthy, separating these devices from the rest of your network mitigates your risk. Learn more about Building Network Segments.

How do I release devices from the Quarantine Group?

To release a device from quarantine, simply navigate to the Quarantine Group, swipe left on the device, and tap "Leave Group".