Firewalla App version 1.66 is available to all users. 

Some features may require Box 1.981, which is available for all Production Gold, Gold Plus, Gold Pro, Gold SE, Purple, Purple SE boxes. No extra steps are needed.

• Please note that Firewalla Blue Plus has reached End of Hardware Life and will not support box version 1.981. Learn more about Firewalla End Of Life Guide.

App 1.66 Release

1. New Features
   1. Device Active Protect: Lockdown
   2. Disturb - New Parental Control Tool
   3. Multi-Engine IDS/IPS - Suricata
   4. FireAI for Network Performance
   5. Separate Data Usage Tracking for Multi-WANs
   6. Migrate AP7 & Network Settings - After Installation
   7. CAKE (Smart Queue) - Moved Out of Beta
2. Enhancements
3. Bug Fixes
4. Known Issues

New Features

1. Device Active Protect: Lockdown

Requires Box version 1.981

Device Active Protect helps you implement least privilege access—a core part of Zero Trust networks. Instead of having full network access, devices are automatically limited to only the connections they need.

Firewalla dynamically learns trusted behavior over time and blocks everything else, saving you from manually creating per-device rules and manually updating them yourself.

Learn more about Firewalla's Device Active Protect.

• DAP is available for any Firewalla Gold series boxes.
• Firewalla box must be in Router or Bridge mode.
• Not all devices are eligible for DAP.
• There is a learning period before any blocks are enabled.

2. Disturb - New Parental Control Tool

Requires Box version 1.981

Introducing Disturb—our brand new tool designed to stop Internet Addiction. 

While time limits and blocks are common ways to control access, Disturb is a new rule action designed to simulate a poor network experience. Firewalla will slow down traffic to selected apps, making them less enjoyable to use, and encourage users to take a break on their own. 

To create a Disturb rule:

1. Go to Rules (from your main screen) > Add Rule > select Disturb as the action.
2. Select the app to disturb, and apply it to any device, user, group, or network.
3. You can also select how much to disturb traffic, from Annoying, Super Annoying, or Custom settings.

Learn more about creating Disturb rules.

• DISCLAIMER: This feature is still experimental, as it may not work for everyone.
• This feature requires Firewalla boxes in Router mode.

3. Multi-Engine Active Protect - Suricata

Requires Box version 1.981

Your Firewalla already supports the Default Active Protect engine, and with Firewalla MSP, you can have deeper behavioral-based detection with MSP Active Protect. 

In this release, we've added Suricata as an available engine to run alongside the Default and MSP engines! Suricata is a signature-based, open-source engine that can help identify more threats quickly and accurately (source: https://suricata.io/). 

Learn more about Firewalla's Active Protect.

• Suricata is available for Firewalla Gold Pro boxes only. Learn more about other platform support here.
• Suricata is extremely hardware-intensive, and running it in parallel with the Default Engine could impact performance slightly. If you experience any performance issues while running Suricata, please disable it or contact us at help@firewalla.com.

4. FireAI for Network Performance

If you've ever needed help understanding your Network Performance, you can now ask FireAI about Events! Firewalla AI Assistant can help analyze the recent Network Events and suggest some troubleshooting steps you can try. 

To ask FireAI about Events: 

1. Tap on the Network Performance section from your main screen.
2. Tap FireAI in the summary section.
3. Alternatively, tap on Recent Events > Ask FireAI about the events.

Learn more about Firewalla AI Assistant (Ask FireAI).

• Firewalla AI Assistant is optional. It is not active by default and does not run in the background. It is only active the moment you use it.
• While we strive to provide accurate and helpful responses, AI-generated content may not always be accurate, complete, or up-to-date, and it is not a substitute for human judgment. Always verify important information before taking any action.

5. Separate Data Usage Tracking for Multi-WANs

Requires Box version 1.981

Previously, we only supported a single Data Usage chart, even for dual-WAN setups. In app 1.66, you can now track data usage separately for each WAN!

• If you're using dual-WAN, the Data Usage page will show a chart for each WAN. Tap on a chart to view its daily and monthly data usage.
• If you have the Monthly Data Plan enabled, you can now set different data limits, reset dates, and alarm settings per WAN. When enabled on both WANs, you'll see two separate data plan widgets on the main screen. 

Learn more about Firewalla's Data Usage feature.

6. Migrate AP7 & Network Settings - After Installation

After a Firewalla box is set up and installed, our migration tool allows you to migrate data from another box. Previously, this data would not restore Firewalla AP7 configurations or network settings. In this release, we've enhanced our migration tool to allow network setting migrations after installation!

To migrate your network settings:

1. Open your Firewalla app and navigate to your new box.
2. Tap Settings (top right corner) > Advanced > Migrate from Other Box.
3. Select the source box you'd like to migrate network settings from.
4. Select Network and Wi-Fi Settings on the Migrate Data page.
5. Tap Migrate.

Learn more about migrating data between Firewalla boxes.

• Only available for boxes in Router mode.
• Migrating network settings is only available when the new box has:
  • The same number of ports as the source box (e.g., Gold -> Gold Pro, Purple SE -> Purple)
  • More ports than the source box (e.g., Purple -> Gold)

7. CAKE (Smart Queue) - Moved Out of Beta

In honor of the late Dave Täht—co-creator of FQ_CoDel and CAKE, and a passionate advocate for fair network queuing—we've moved CAKE out of Public Beta and made it more accessible directly from the Smart Queue page. 

Dave was an early Firewalla user back in 2021 and a strong supporter of bringing CAKE to our platform. With CAKE now officially part of Smart Queue, we hope more users will explore its benefits and continue the work Dave believed in. 

Learn more about CAKE and Smart Queue.

Enhancements

• The category “All VPN sites” is now more effective with Box update 1.981. Rules blocking VPNs can now detect and block OpenVPN and WireGuard connections more reliably.
• Added support for DUID for Multi-WAN setups.
• Source NAT Rules are enhanced to support selecting a specific device, group, user, network, or all devices when translating to external IP addresses.
• WAN connections can now support 13 static IPs (/28 subnet) for Gold and Purple series in Router mode.
• Added IPv6 Prefix to the Network Diagnostic results.
• Enhanced Alarm searching/filtering to be faster.

Various UI Enhancements:

• WAN IP addresses are now displayed on the WAN connection from the Network Manager page.
• VPN Server networks are now hidden from the Network Manager and Devices page when the VPN Server is disabled.
• Changed the icons for "Internet" and "Domain" in Rules and control buttons for better clarity.
• Re-designed the icons for Firewalla boxes and AP7s to help identify them easily in the Device List.
• VPN connections are now labeled with Site to Site or Remote Access on the VPN Client page.

Bug Fixes

• Fixed the issue where network configuration data could be mixed up across boxes when managing multiple boxes in one Firewalla App. (Android only, fixed in 1.66(78))

• Fixed the issue where DMZ may appear enabled even when it's actually disabled. (Android only, fixed in 1.66(76))

• Fixed the issue where the monthly data usage may be displayed incorrectly after upgrading to 1.66. (Android only, fixed in 1.66(73))

• Fixed the issue where the app may fail to turn off data plan on 1.980 boxes. (Android only, fixed in 1.66(72))

• Fixed the issue where static routes with IPv6 addresses were not supported.

• Fixed the issue where Smart Queue rules on different local ports with the same settings were not supported. (Android only)

• Fixed the issue where the app might not reflect changes to VPN profiles in time.

• Fixed the issue where a warning was incorrectly displayed when connecting IPv6-enabled devices to a WireGuard VPN.

• Fixed the incorrect display of the “Create from scratch” button when editing WireGuard VPN profiles.

• Fixed the issue where WPA/WPA2 Enterprise was not supported when connecting to Wi-Fi via Purple or the Wi-Fi SD interface. (iOS only)

• Fixed the issue where, after resetting policy rules, new device quarantine rules could not be created automatically.

• Fixed the issue where creating a rule matching region "British Indian Ocean Territory", or "Chagos Archipelago" (Country Code: IO) may fail. (Fixed in box version 1.981)

• Fixed the issue where the app may show an unusually high bandwidth usage for devices, which may also cause an incorrect Large Bandwidth Usage alarm in some cases. (Fixed in box version 1.981)

• Other minor display issues and bug fixes.

Known Issues

• Issue: If a flow is allowed by Device Active Protect, the diagnostic result may incorrectly show it as “Blocked by Active Protect.” This is a display bug and does not affect your actual network connection. [iOS only]
  How to Fix: This issue will be fixed in the next iOS App release. 
• Issue: After migrating data from one box to another, if the source box has Active Protect – Suricata enabled, the destination box may display Suricata as “On” even though it is not actually enabled.
  How to Fix: Turn Suricata off and back on to re-enable the feature. This issue will be resolved in the next app release.
• Issue: After pairing an Extended Warranty license with your Firewalla box, the success page may display "Access Point" instead of "Firewalla Box". This is a display issue only and does not affect the effectiveness of your EW license. [iOS only]
  How to Fix: This issue will be fixed in the next iOS App release. 
• Issue: When the box is in 1.981, but the App or MSP instance is in App 1.65 or MSP 2.8, there may be two new rules on some devices: (1) Allow matching target list "dap", and (2) Block traffic from/to the internet. These rules are part of Device Active Protect (DAP). They are automatically paused by default and only become active if DAP is enabled in App 1.66 or if they are manually resumed. These rules can be safely ignored.
  How to Fix: This issue will be fixed once App 1.66 is released to production and in the MSP 2.9 update.
  

• Issue: If a box is upgraded to 1.981 and then downgraded to 1.980, any Disturb rules created in 1.981 may stop working—even after upgrading back to 1.981.
  How to Fix: Remove the old rules, then use App 1.66 with Box 1.981 to create new Disturb rules.

• Issue: With Box 1.981, if port forwardings are created on an IP address (instead of a device), any Security Activity alarms generated by devices matching that IP address will be recognized as a Virtual IP Address device. On the iOS app, the MAC address field will show the "vip" ID  of the device; on the Android app, the MAC address field will be hidden. 
  How to Fix: This issue will be fixed in future box updates. 

• Issue: Muting alarms matching IPv6 addresses is not supported as of box version 1.981.
  How to Fix: This issue will be fixed in future box updates.

• Issue: By default, device-level rules have higher priority than global rules. Device Active Protect (DAP) may take precedence over previously defined rules if an eligible device has DAP enabled.
  How to Fix: This issue will be fixed in a future update. As a workaround, please pause DAP for the affected device so that previously defined rules can take effect.