We will likely be releasing Firewalla MSP to the general public in the next 2 to 3 months.There will be deep discounts and free credits for early adopters; if you are interested, please sign up by filling out this survey and we will notify you once the pre-sale starts.
Firewalla MSP is a Managed Security Portal designed for security and infosec professionals to easily manage multiple Firewalla boxes remotely. In this article, we'll introduce you to Firewalla MSP, review its key features and capabilities, show you how to set it up, and answer some frequently asked questions.
Note: we are also actively looking at making a lite (more affordable) version for home users.
- What is Firewalla MSP?
- What are Firewalla MSP's features?
- How do I set up Firewalla MSP?
- FAQ
- Latest Release Notes: Version 2.0
Firewalla MSP is currently in Beta. If you would like to sign up for access to these early versions, please fill out our Firewalla MSP Waitlist Signup.
What is Firewalla MSP?
Firewalla MSP is a web interface where you can conveniently and efficiently manage a fleet of Firewalla boxes. As a cloud-based management system, each management portal is an isolated container within the Firewalla Cloud. Managed instance data is fully isolated within this container.
Some of Firewalla MSP's main highlights include:
- A private domain (e.g., mycompany.firewalla.net). You can use your company name to create a vanity subdomain for Firewalla MSP. Once configured, you can sign in using your email address and password. Two-factor authentication is also supported.
- A container-based centralized management interface. Firewalla MSP stores data related to Firewalla boxes that you manage in a unique encrypted AWS container. It is never mixed with anyone else's data. It is only accessible to the admins you grant access to, much like how your Firewalla box is only accessible to the mobile devices you allow.
- A global view of all your Firewalla boxes and devices. While you'll still have the ability to manage individual Firewalla boxes, you can also use Firewalla MSP to see all:
- Alarms
- Rules
- Target Lists
- Flows
- The ability to set policies on multiple boxes. You can deploy rules across multiple Firewalla boxes just as quickly as a single box.
- Extended logging and analytics. Firewalla MSP processes and stores data centrally in the cloud. This also means you can easily and quickly search through all your logs.
- Webhook/Slack/IFTTT integration. You can get Firewalla alerts in Slack or use IFTTT to trigger any action you'd like.
- Programmable APIs for service integration.
Before you continue exploring Firewalla MSP
- The Firewalla MSP interface is in "Beta." There will be bugs and bug fixes.
- Please be careful if you're using the MSP interface in production mode. This version is best in a "Beta" environment.
- Firewalla MSP is container-based. The container runs inside Amazon AWS (in the USA). The container will store all active data (flows) and policies from all your managed Firewalla boxes. Data are stored within the container, so once the container is removed, the data will also be removed.
What are Firewalla MSP's features?
To streamline the process of managing all your Firewalla boxes, Firewalla MSP has unique features that make configuring one box as easy as configuring one hundred boxes. These include:
- Dashboard
- Inventory
- Alarms
- Devices
- Rules
- Target Lists
- Flows
- Events
- Temporary Access
- API
- Exporting Data
- Upcoming Features: Mesh VPN & Reports
Dashboard
The Dashboard gives an overview of all boxes over the last 30 days. Its modules include:
- Online/Offline Boxes. An overview of all Firewalla boxes that are online or offline.
- Total Number of Alarms and rules. An overview of all alarms and rules across all boxes.
- System Alerts. Some noteworthy system events. For example, if a box goes offline and is not online, a system alert will be shown on the dashboard.
- Daily Blocked Flows. A chart of the number of flows blocked per day.
- Daily Alarms and Rules. A graph of the number of alarms and rules your devices have recorded per day.
- Top Boxes by Blocked Flows. The boxes with the most blocked flows.
- Top Boxes by Security Alarms. The boxes with the most security alarms.
- Top Regions by Blocked Flows. The most common regions of the world where your blocked flows have originated.
- Activities. The latest actions that you or any other users took.
Inventory
You can open your Inventory via the lefthand panel. From this page, you can:
- Add/remove Firewalla boxes
- View active boxes and status
- Create a group to manage boxes
Grouping together multiple Firewalla boxes can help you filter data, manage views for different entities, and deploy your rules in different phases.
View Options
Once you have created your Box Groups, you can click the dropdown button at the top of the page to select a Box Group. Firewalla MSP will only show you information relevant to the selected group. This feature can help scale the number of boxes managed by one MSP account.
Alarms
- Manage alarms across all or a selected group of boxes
You can search by Alarm type across all the Firewalla boxes you manage and filter with multiple Alarm types if you like.
3rd-Party Platform Integration
For advanced users, Firewalla MSP also allows you to integrate Firewalla alarms into other apps and flows using:
- IFTTT,
- Slack,
- Webhooks.
Want your whole team to see important notifications in Slack? Want to receive an email, text, or an automated phone call when something bad is happening on your network? Then Integrations are for you. Learn more about how you can set up integrations.
Devices
Under Devices, you can search by box, Device, Network, IP address, MAC address, Device Vendor, or Online/Offline Status.
Rules
Rules allow you to search by Box, Action, Matching Condition, or the Device/Group/Network to which the rule applies. You can also create or edit rules on any device across your Firewalla boxes.
To help you manage multiple Firewalla boxes easily, you can apply rules to all Firewalla boxes (or a selected group of Firewalla boxes) at one time. For example, when you create a rule on "all devices" from Firewalla MSP, the rule will be synced to all boxes in your inventory. Any newly joined boxes will have the global rules applied automatically.
Target Lists
Target Lists created on Firewalla MSP are shared across all boxes. Each list can contain up to 2000 targets. After creating a target list, you can create rules matching it and apply them to any device on any box.
On Firewalla MSP, you can create target lists owned by MSP instead of individual boxes. To make the "Owner" concept more clear and easy to manage, we've set up a few constraints:
- You can create MSP-owned target lists under the MSP global view or create box-owned target lists under an individual box view. Once a target list is made, the owner cannot be changed.
- When managing target lists under the MSP global view, you can see all the lists owned by MSP and Firewalla. These lists can be used to create rules across different boxes and box groups.
- If you switch to an individual box's view (by clicking the inventory dropdown at the top of the page), you will be able to see all the lists owned by MSP, Firewalla, and the box. You can also use these lists to create rules.
Flows
On the Flows page, you can search flows by Box, Block Status, Source, Destination, Port, and Device. Since Firewalla MSP processes and stores data centrally in the cloud, you can search through flows much faster than in my.firewalla. Each flow is saved for 30 days. You will be able to extend this even further in the future for an additional cost.
If you see a suspicious flow or are simply curious about the reputation of a flow, you can perform a 3rd-party platform security lookup directly from the flows list. Firewalla MSP supports Cisco Talos, Google Safe Browsing, Virus Total, Shodan, AbuseIPDB, and more.
Events
- Display MSP-specific events, such as when a box goes online/offline.
- Activities will show historical modifications to the MSP system, making this a good place to audit changes.
You can see a 30-day history of significant events and activities in your system by clicking Events in the left navigation panel. A box going online or offline will trigger a System Event. When you or other admins make changes, such as creating and updating a rule, Firewalla MSP logs these actions as Activities. More system events and user activities, including creating and updating target lists, are upcoming in future releases.
Temporary Access
You can activate Temporary Access on any box to fully control it using the Firewalla App on any mobile phone.
Turn on Temporary Access by first navigating to Inventory in the lefthand bar. Then, click the box you'd like to control using Firewalla MSP. Scroll down until you see the Temporary Access option and click on it.
Toggle Temporary Access to On and scan the generated code using your phone. You'll then be able to make complex network configurations or troubleshoot a customer's box using the mobile app without having to go through the pairing process or having physical access to the Firewalla box.
Once you've enabled Remote Access, you should see messages like this on Firewalla MSP and the Firewalla App.
API
You can use our API to interact with Firewalla MSP and boxes programmatically. Learn more about how to use the Firewalla MSP API.
For example, here's what accessing the names and IP addresses of devices that are online looks like using the Firewalla MSP API:
curl -s 'https://mymsp.firewalla.net/v1/device/list' \
-H 'Authorization: Token 70f3d2--------51878fdf' \
| jq '[.[] | select(.online==true) | {name: .name, ip: .ip}]'
[
{
"name": "AppleTV",
"ip": "192.168.203.67"
},
{
"name": "Firewalla",
"ip": "192.168.203.157"
},
{
"name": "raspberrypi",
"ip": "192.168.194.183"
},
{
"name": "MyCamera",
"ip": "192.168.194.166"
}
]
Exporting Data
You can save your device list and alarm data as CSV files using the Export button at the top right of the screen. We may include more types of data in the future.
Upcoming Features
VPN Mesh
With Firewalla VPN mesh, you can:
-
Seamlessly connect multiple boxes from the MSP interface
-
Create and manage different networks of boxes
-
Easily control who gets to access each VPN mesh
Reports
We've also been building a new interface to give you a unified overview of all your boxes. The Firewalla Reports will display useful metrics about box status, Internet quality, alarms, rules, blocked flows, and top destinations across your network and export/share the data from Reports easily.
How do I set up Firewalla MSP?
If you're interested in setting up Firewalla MSP, here's what we'll need from you:
- A name for your account. This can be your company name. It must be "URL ready," meaning you can't use characters that can't be used in a URL. Also, there is a possibility that your desired vanity subdomain is already taken. You may have to choose a modified version if that's the case.
- One user email to manage the instance.
Since it is relatively costly to provision each instance, we ask that you fill out this form to join the waitlist once you have chosen a name and an email:
Logging into Firewalla MSP
To log in, go to https://yourcomanyname.firewalla.net. Type in the username/password you signed up with. When you first log in to Firewalla MSP, it will guide you through setting your password.
If you want to add an extra layer of protection to your account, you can set up Two-Factor Authentication with an authenticator app. We recommend using cloud-based TOTP apps such as 1Password, Authy, Google Authenticator, or Microsoft Authenticator.
You can turn on/off Two-Factor Authentication or change your password at any time in Account -> Account Settings -> Access section.
We recommend using an Incognito browser window if you are on a public computer. This ensures that as soon as you close your Firewalla MSP window, access to your account is gone, just as you wouldn't want to leave your email account open on a public computer.
Once you are signed in, you can add boxes to your inventory to manage them.
Adding Firewalla Boxes to your Inventory
You can follow these steps to add a Firewalla box to your management inventory.
- Navigate to Inventory in the lefthand bar, or go to https://companyname.firewalla.net/#/inventory.
- Click on Add Firewalla Box. To add additional Firewalla boxes, use the QR code reader in the Firewalla App. The Firewalla App is needed to give an IT professional or Firewalla MSP permission to manage the box. After this setup, you won't need the app all the time.
- Use the QR reader in the Firewalla App to scan and choose as many Firewalla boxes as you want to manage with Firewalla MSP. All the devices you currently manage in the app will be displayed. You can follow the on-screen instructions to complete the adoption.
Note: Only Firewalla Gold, Firewalla Purple, and Firewalla Blue Plus can be managed with Firewalla MSP.
A box can only be managed by one MSP portal at a time. However, you can still pair a box to individual mobile devices using the mobile app to allow individuals who don't have MSP credentials to manage an individual box.
For example, if you are an MSP that supports many companies but a Security Engineer from one of your clients wants to manage their own box, you can give them access to that box without giving them access to any of the other Firewalla boxes you manage.
Removing Firewalla boxes from the MSP inventory
- Navigate to Inventory in the lefthand bar, or go to https://companyname.firewalla.net/#/inventory.
- Select the box you want to remove, scroll to the bottom and click the button Remove this box from Inventory.
This will only remove the box from your Firewalla MSP inventory. You'll still be able to access the Firewalla box with the phones with which it has already been paired.
Cost
- Early access and Beta users can use Firewalla MSP for FREE.
- Since we are renting a significant number of Amazon servers for this service, we plan to charge a reasonable fee for this interface in the future. The exact cost depends on how much we can reduce the cost of Amazon infrastructure and how many users are interested.
- We are also exploring how to make the MSP interface work for individual users. So, you don't have to be a MSP to use this interface.
FAQ
- Can I still log in to my.firewalla.com?
No. Once a Firewalla box is linked with the MSP instance, it cannot be managed by my.firewalla.com. You can remove a box from MSP at anytime but you will lose stats beyond the last 24 hours. - Will my.firewalla.com go away or change in any way?
my.firewalla.com will not go away, and new features will still be added wherever possible. While hardware performance limits our ability to put all of the features of the MSP offering into my.firewalla.com, we will continue offering and updating our web interface for free. - Why is there a waiting list?
This early version of the Firewalla MSP is costly to run. - Does MSP limit or change how I manage my Firewalla boxes in the mobile app?
In the app you will see if a particular Firewalla is managed by an MSP and the MSP name. Other than that, there is no change to how Firewalla boxes are managed in the mobile app. For example:
- A mobile device can manage many Firewalla boxes.
- A Firewalla box can be managed by multiple mobile devices if you allow the pairing.
- A Firewalla box can be added to the inventory of an MSP instance. This changes nothing as far as mobile devices that are paired to that box.
- Having access to a Firewalla via mobile app doesn't mean you automatically have access to the MSP instance. For example, if you are an MSP managing a Firewalla for a customer, the customer can access their own Firewalla but would not have access to the MSP instance.
- If you own more than one Firewalla some can be managed by an MSP instance while others are not. Any that are not included in MSP will still be accessable via https://my.firewalla.com/ as always.
-
What are the differences between Firewalla MSP and my.firewalla.com?
Unlike Firewalla MSP, my.firewalla.com is a proxy service. We host the management interface and have that interface interact with your Firewalla directly via my.firewalla.com. Only cache data is stored in the cloud memory, with no configuration or runtime data. Here's a table with all the differences:
Firewalla MSP my.firewalla.com Intended Customer Security professionals
and Managed Security ProvidersAnd power users.
Individual users Data Storage In-cloud & on-device On-device Login requirements Email Firewalla App Typical deployment strategy Multiple admins One admin View Scope Unlimited number of
Firewalla boxesOne Firewalla box Improved Search Faster search across all boxes API Access ✔️ Slack/IFTTT integration ✔️ Deploy rules across multiple Firewalla boxes ✔️ Private domain ✔️ Fees Fee-Based (TBD) Free
Comments
32 comments
Thank you for writing up this article.
Looks to be fun. Just wish I had a purple so I could play with routing and vpn technique. But thanks a ton Guys for providing this for us to try out!
I have 4 Gold's & 1 Blue+. Too bad beta only does 3.
@broadnetwork created a ticket for you, we can increase the limit for early access mode.
I signed up a few days ago. Any way to find out where we are on the list? Thanks!
@Bryan
Just invited, please check your email inbox.
This is a neat concept; look forward to seeing how this unfolds.
Does the MSP have the same 20 target list limit as when creating target lists on the box? Also, is there currently a way to add additional users to be able to log into the MSP and access the account, or do we have to share credentials for now?
Try to add more target list, I think we increase that to 2000 or so.
Do you mean invite more people into your MSP container? That has to be done manually at the moment.
@Firewalla - yes, I was going to add some boxes but wanted to add an additional user. It isn't a big deal to share creds with this individual, but, I would prefer to use 2FA once available, so that will be an issue at that time. Ideally role based access would be best, so I can limit their permissions, but that is a long term goal.
On a related note, I've been hesitant to really start adopting the MSP portal because of the lack of a pricing model. I'd hate to start using the APIs for alerts, automation, etc., or start building shared target lists only to find it cost prohibitive. I've seen mention about the possibility of a "lite" version of the MSP which would lack HA or other features to cut cost. Also, this article reads as if beta users will remain free, but it isn't clear what limits there may be.
Once this becomes a paid service, do we have the option to roll back to pre-MSP?
@Dion, pre-MSP is just the my.firewalla.com, yes, you can go back
You are spinning up a new container for each user correct? Could this be something that is bought and installed on our own server in house?
… Building on @James’ thought: or even run the container directly on the Firewalla itself (for Gold), exposing the API and integrations and management locally, using the same code than MSP?
The container themselves are tied into the aws infrastructure, so it is not possible move them around. they are essentially, cloud based by design.
Instructions need to be updated.
Should be ....
Adding Firewalla Boxes to your Inventory
To add a Firewalla box to your management inventory, follow these steps.
Holy cow... How am I just now seeing this???
WTG Firewalla. Can't wait to drive it!
We need more functionality within the MSP portal. I would like to be able to get into the router and have the same functions and see the same User Interface as the IOS app. We should be able to change settings on the router from the MSP and log in remotely to fix issues to all of our routers in the field. I don't want to have to pull out my phone to attempt to fix an issue in the field. Full computer access is needed.
This introduction talks about multiple admins. How do I add a new admin?
@Shew
Right now it can only be added by us, configuring in the backend. But we are working on it to support it in the UI.
I am using this as a power user and it is GREAT! May I make a suggestion? Once you start charging for it if the only 2 tiers are the basic web app and unlimited, it will probably be priced out of power users budgets. I would suggest the FREE tier (1 box basic) and then a power home user tier (1 box but with the MSP dashboard) and then 2-3 or whatever, and then 3-99, 100-1000, etc. Otherwise a lot of us "power users" may get priced out.
There have been discussions on a cheaper tier for not MSP's; since amazon charges us for the containers/extra storage/network bandwidth, there is no way this cheaper tier will be free.
Absolutely! I would expect to pay something for it. But I would expect to pay less than people who are managing more boxes. Anyway, thanks for listening.
Looking to collect all blocked in-bound IP addresses and the source country. This is my API call.
curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' | jq '.[] | {ip,blocked,fd,country} | select(.blocked) | select(.fd=="in")'
That gives me results that look like ...
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
But this is nowhere near the number of blocked flows on the MSP portal or mobile app. Also, from the API I can't get any of the blocked inbound flows.
What am I doing wrong.
And even if we assume I don't understand what "fd" represents, I still get very few results.
Trying this call ...
url -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad'' | jq '.[] | {ip,blocked,fd,country} | select(.blocked) '
I still only get ...
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
{
"ip": "41.214.134.201",
"blocked": true,
"fd": "out",
"country": "MA"
}
{
"ip": "89.248.163.175",
"blocked": true,
"fd": "out",
"country": "NL"
}
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
{
"ip": "80.66.83.55",
"blocked": true,
"fd": "out",
"country": "RU"
}
{
"ip": "89.248.163.175",
"blocked": true,
"fd": "out",
"country": "NL"
}
Hi Chris,
By default the API returns 200 responses. If you need more or less than, that you can specify like so:
The start/end times are in unix epoch format are optional, but give you bracket precisely the time inspected.
Thank you. Please consider documenting that somewhere ... any other tricks you can share?
I tried setting the limit to 100, 300, and 500 and still only was able to get 200 records returned. Seems like no matter what the "limit" is set to only 200 records are returned.
What am I doing wrong?
┌──(pi㉿x)-[~]
└─$ curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' --data '{ "limit": 500}' | jq '.[] | {ip,fd,blocked}' | grep fd | wc -l
200
┌──(pi㉿x)-[~]
└─$ curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' --data '{ "limit": 300}' | jq '.[] | {ip,fd,blocked}' | grep fd | wc -l
200
┌──(pi㉿x)-[~]
└─$ curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' --data '{ "limit": 100}' | jq '.[] | {ip,fd,blocked}' | grep fd | wc -l
200
Adding the date range for the past 12 months (yes, I know that the data don't go back more than 24 hours) still doesn't give the right results.
curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --data '{ "limit": 500, "start": 1646110800, "end": 1677686238}' --header ' Authorization: Token dfd143d.............016ad' | grep ip | grep 89\.248\.163\.110
"ip": "89.248.163.110",
Certainly more than enough data to return.
Let's assume I am going about this the completely wrong way. How can I use the API MSP feature to get a list of all blocked inbound connection attemps?
Is the Beta still open? I would love to give this a try.
Hello,
I filled the form days ago but never got the invite. Could you please check if I'm in the list?
Thanks,
Manuel
Please be patient, we are working on an automatic signup system now, may take a week or two to get it ready. When that is done, we will don't need the waiting list.
If you are on the list, please do watch out an email from us.
Hello team,
I am receiving this message since last saturday:
Please sign in to leave a comment.