Implementing least privilege access is one of the foundational principles of a Zero Trust Network. Instead of giving a device full access to your network, we limit it to only what’s needed for it to function.

One way to do this is to manually examine network flows and create a target list for each of your devices; this is not practical and is likely to encounter problems. (Block all device access and allow sites on the target list)

With Device Active Protect, Firewalla does the hard work for you. By intelligently analyzing a device’s behavior over time, Firewalla learns which connections are necessary and trusted, then blocks everything else.

• Not all devices are eligible to use DAP
• There is a learning period before blocks are enabled
• Auto Device Isolation via Firewalla AP7 is coming up soon
• DAP initially will run in permissive mode, with more strict blocks coming in future releases
• DAP can not guarantee "allowed" sites to be perfect, if you have issues, please pause the DAP on the device having issues. 

This feature requires Firewalla App 1.66 + Box version 1.981 or later. Learn more about the 1.66 Release here.

1. DAP Requirements
2. Enable DAP
3. DAP Phases
   1. Learning
   2. Optimizing
   3. Active (Coming Soon)
4. Device Eligibility
5. DAP with Firewalla MSP (Coming Soon)
6. Troubleshooting Issues with DAP
7. FAQs

DAP Requirements

• A Firewalla Gold series box is required.
• Firewalla box must be in Router or Bridge mode.
• Box version 1.981 or later.
• App version 1.66 or later.
• NTP Intercept will be enabled automatically on all networks.
• DAP works best on simple IoT devices. For more details, see Device Eligibility.

Enable DAP

To turn on DAP, go to your box’s main screen, tap Protect, and enable Device Active Protect. 

If you don’t have NTP Intercept enabled on all networks, the app will prompt you to enable it.

DAP Phases

DAP has three main phases: Learning, Optimizing, and Active. 

Learning

Eligible devices are first placed in the Learning phase. No Internet blocking is applied; Firewalla simply observes the device’s behavior to identify which targets are essential for it to function. 

The length of the Learning phase depends on the type of device and its usage patterns. It can take up to seven days to complete, and with Firewalla MSP, this phase may be accelerated in the future.

Since this learning phase is already part of Firewalla’s behavioral Active Protect analysis, some very simple devices may already have been learned even before the full activation of DAP, and may skip this phase altogether.

After the learning is complete, and if DAP is not enabled, eligible devices will be marked as Ready. These devices will remain in the Learning phase until DAP is enabled.

Optimizing

Once the Learning phase is complete and DAP is enabled, eligible devices will move on to the Optimizing phase. In this phase, only the necessary targets are allowed, while all other Internet access is blocked. (Learning will happen in parallel to increase or decrease the number of allowed sites.)

Firewalla will continue to monitor the device’s behavior and automatically optimize the allowed targets as needed. Devices may move back to the Learning phase if their behavioral patterns change significantly.

Active (Coming Soon)

Once the Optimizing phase is complete and DAP is enabled, eligible devices will enter the Active phase. In this phase, DAP will likely have a full understanding of the device behavior and manage device connections with no learning required. 

Although this stage is the least permissive, it will still make minor adjustments to access control as it learns new things.

While DAP is still evolving, only the Learning and Optimizing phases are currently available. The Active phase is coming soon.

Ineligible 

The device is either too complex or does not have enough "base" data to start the learning stage. As the Firewalla cloud learns more, it will move the device to the learning stage. 

Device Eligibility

• Only certain IoT devices are eligible for DAP.
• Devices with more complex online activities are NOT eligible (e.g., smartphones, computers, tablets, devices that can run multiple apps and randomly access more sites).
• As DAP improves, and along with Firewalla MSP, more complex devices may become eligible in the future.

DAP with Firewalla MSP (Coming Soon)

MSP’s extended flow history and deeper behavioral pattern detection will significantly shorten the Learning phase. And, with our machine-learning-based Firewalla Intelligence, DAP will be able to support more complex IoT devices.

The Active phase (coming soon) may also require Firewalla MSP to utilize its detailed flow history and behavioral analysis data through the MSP Active Protect Engine.

Troubleshooting Issues with DAP

If you have DAP enabled and your IoT device stops working as expected, you can pause DAP for that specific device. 

Step 1: Check if DAP is the cause

1. Go to your device’s detail page and tap Network Flows.
2. Tap View Blocked to see if any connections were blocked.
3. Tap on a blocked flow and tap Diagnose. 

If the diagnostics show “Blocked by Device Active Protect,” DAP may be causing the issue. Continue to Step 2 to pause DAP.

Step 2: Pause DAP

1. On the diagnostics screen, tap Show the Feature to go to the Protected Devices page.
2. Tap the device you’re troubleshooting.
3. Tap Pause Device Active Protect at the bottom of the detail page.

When DAP is paused: 

• No targets will be blocked
• No new targets will be learned

You can resume protection at any time by tapping Resume Device Active Protect. The device will re-enter the Learning phase.

Alternatively, you can enable Emergency Access on the device to instantly suspend all blocking mechanisms on your device, including any rules created by DAP. 

• Navigate to your device detail page, scroll down, and toggle Emergency Access on.
• Basic protections and monitoring of your device will remain in place.
• Learn more about what happens when Monitoring is off or when Emergency Access is on.

If the blocked flow wasn’t caused by DAP, then it may be a different rule or feature enabled. Check out our other article on what to do when you can't access certain websites for more help.

FAQs

• How does Firewalla learn my device behavior?
• Why are devices disappearing from "optimization"?
• Why are the "optimization" and "learning" stages more permissive?
• How can I restart Device Active Protect learning?
• Can DAP isolate my device on the local network?

How does Firewalla learn my device behavior?

Firewalla analyzes your device’s network activity locally on your Firewalla box. This local analysis helps Firewalla learn which domains or services your device needs in order to function properly. 

Note that Firewalla already has behavioral analytics running (e.g., Abnormal Upload Alarms). Partial learning can happen even without turning on DAP. This helps determine the number of eligible devices and makes DAP activation occur faster.

In the future, to improve learning accuracy, we may anonymously aggregate behavioral patterns across similar devices in the cloud.

There’s no LLM or AI model involved. Firewalla uses simple data structures (like graphs) and traditional machine learning algorithms to make decisions.

Why are devices disappearing from "optimization"?

When DAP is active, the algorithm running will be constantly optimizing access patterns, and if the algorithm is not sure if the device access control is useful or if more permissive rules are needed, it will automatically move the device to different stages. Learning stage and optimization stage can be entered at any time. Devices may be marked ineligible if our learning algorithms detect drastic changes in their access patterns at any time. 

The ineligible device may move to the "learning" stage after the system gets a better handle on the base access patterns.

Why are the "optimization" and "learning" stages more permissive?

The purpose of these stages is to build up a soft barrier between your device and the internet (and, in the future, your LAN). Machine learning algorithms will be used at this stage, and sites blocked are based on the learned access patterns. When these stages are activated, you will see more sites permitted. 

Once the algorithm implements the "active" stage, device access control will be much less permissive. 

How can I restart the Device Active Protect learning process?

The learning process is fully automated; it's not necessary to start over. Depending on device behavior, and as DAP continues to evolve, devices may move between stages at any time.

Can DAP isolate my device on the local network?

Currently, DAP only controls Internet access. It does not isolate devices from your LAN.

• In an upcoming release, DAP will automatically enable Device Isolation if you have the Firewalla AP7.
• In the meantime, we recommend segmenting your IoT devices using VLANs or VqLAN (AP7). Learn more in our Zero Trust Network Architecture article.