To enable this feature: tap on the "+" button on the main screen, and turn on "New Device Quarantine"
With New Device Quarantine turned on, all new devices joining the network will be automatically placed into a Quarantine group, and an alarm will be generated. You can:
- Control the quarantine group with any rules/policies (controlling adult content, to games) and use smart queues to rate limit devices (available on the purple/gold)
- Have full visibility of the quarantined devices.
- Freely remove devices from the Quarantine group.
Please note that for devices that change MAC address at random (e.g. iOS 14+), Firewalla will recognize them as a new device every time the MAC address is changed. So you can leverage this to prevent devices to get around with specific blocking rules and build a super guest network for home and work. If you don't want your device to be quarantined every once in a while, you'll have to disable the random mac feature on your device.
Summary Use cases:
- Lockdown devices that randomize MAC addresses.
- Lockdown kids changing device MAC address to bypass control
- Putting new devices in a special group for special monitoring
- Quarantine groups rules are flexible, so you can even send unknown device traffic to VPN clients.
To turn on this feature:
- Go to your Firewalla main screen.
- Tap on the "+ " more button.
- Tap on New Device Quarantine and turn it on
- Go back to the main screen, tap on Devices, a Quarantine group will be created on your devices list.
- This feature can be turned on for specific networks on Firewalla Gold and Purple.
To configure this feature:
New Device Quarantine creates a Quarantine group, with a set of pre-defined rules to block new devices from accessing the internet and other segments of your network.
- Block Traffic from & to Internet
- Block Traffic from & to All Local Networks (Gold/Purple Only)
Like any other device group, the rules applied to the "Quarantine Group" can be customized.
- You can add or modify the default rules. You can add or remove members from this group like any other firewalla device group.
- You can treat the quarantine group as any device group.
- If the Quarantine group is deleted, the feature will be turned off
- "Routes" and "VPN Client" should all work with this group.
All devices being quarantined will join the device group: Quarantine. To leave the group and release the device from quarantine, you can simply swipe left and tap "Leave Group".
Since the quarantine group is a virtual group, firewalla will not be able to control traffic from the new devices to your LAN. If you do want to control LAN access, please see network segmentation.
Please do remember if you have "quarantine on" when you are installing new devices. We've seen too many cases, where new devices are quarantined and failed to be installed on the network.
When you bring a new device into your home it can be difficult to know if it is trustworthy. Instead of thinking about these devices in a binary way ("yes, I will use them because I know they are safe" or "no, I can't be positive they are safe so I will not use them"), Firewalla allows you to keep tabs on them and limit their access so that the risk profile is small.
Devices are more likely to be "Nice" or trustworthy if they send data to secure servers like Amazon's AWS because they have strong data security features. Often IoT devices require very little internet access. They may only talk to just one or two domains when operating as designed. One strategy is to let them run for a while and use Firewalla to observe what their normal behaviors are; then secure the devices by creating rules that only allow access to those servers so that if they are ever compromised by malware or ransomware, they can't send data where it shouldn't be going.
Many devices that we find irresistible lack the architecture and quality control to ensure secure data handling. This can simply mean the design is unintentionally flawed, leaving the device open to being compromised by someone else. In other cases, devices may be harvesting your data without disclosing that. Either way, caution is the best policy. Separating these devices from the rest of your network mitigates your risk. Learn more about Building Network Segments.
What would an awesome addition, is when a device gets quarantined, give them a webpage and/or login, like when using commercial guest wifi's. Just a static web page would suffice too, so when an iDevice uses a random MAC, that person can let the admin (ie: DAD) release it and the admin (DAD) can update the naming of the device or turn off the MAC randomization for said guest *cough* (children).
Please sign in to leave a comment.