Firewalla MSP is a Managed Security Portal designed for security and infosec professionals to easily manage multiple Firewalla boxes from anywhere. In this article, we'll introduce Firewalla MSP, review its key features and capabilities, show you how to set it up, and answer some frequently asked questions.
- What is Firewalla MSP?
- What are Firewalla MSP's features?
- How do I set up Firewalla MSP?
- FAQ
- Latest Release Notes: Version 2.4.0
Sign up at https://firewalla.net. All plans include a 6-month trial at a discounted rate!
What is Firewalla MSP?
Firewalla MSP is a web interface where you can conveniently and efficiently manage a fleet of Firewalla boxes. As a cloud-based management system, each management portal is an isolated container within the Firewalla Cloud. Managed instance data is fully isolated within this container.
Some of Firewalla MSP's main highlights include:
- Email-based login You can sign in using your email address and password.
- Two-factor authentication is also supported for Business and Professional plans.
- A private domain (e.g., mycompany.firewalla.net). You can use your company name to create a vanity subdomain for Firewalla MSP (MSP Business plan only). MSP Professional plan users use a [random].firewalla.net address.
- A container-based centralized management interface. Firewalla MSP stores data related to Firewalla boxes you manage in a unique encrypted AWS container. It is never mixed with anyone else's data. It is only accessible to the admins you grant access to, much like how your Firewalla box is only accessible to the mobile devices you allow.
-
A global view of all your Firewalla boxes and devices. While you'll still have the ability to manage individual Firewalla boxes, you can also use Firewalla MSP to see all:
- Alarms
- Rules
- Target Lists
- Flows
- The ability to set policies on multiple boxes. You can deploy rules across multiple Firewalla boxes as quickly as on a single box.
- Box update management. Choose when your boxes get updates, ensuring they're only installed at safe hours for your home and business.
And for advanced users
- Reporting and Extended logging and analytics. Firewalla MSP processes and stores data centrally in the cloud. This also means you can easily and quickly search through all your logs.
- Programmable APIs/Webhook/Slack/IFTTT integration. You can get Firewalla alerts in Slack or use IFTTT to trigger any action.
- VPN Mesh allows you to connect multiple boxes seamlessly, from anywhere in the world.
What are Firewalla MSP's features?
To streamline managing all your Firewalla boxes, Firewalla MSP has unique features that make configuring one box as easy as configuring one hundred boxes. These include:
- Dashboard
- Inventory
- Alarms
- Devices
- Rules
- Target Lists
- Flows
- VPN Mesh
- Reports
- Events
- Temporary Access
- API
- Exporting Data
- Box Update Management
- Version Upgrade Options
- Adding or Deleting Users
Dashboard
The Dashboard gives an overview of all boxes over the last 30 days. Its modules include:
- Online/Offline Boxes: An overview of all Firewalla boxes that are online or offline.
- Total Number of Alarms and rules: An overview of all alarms and rules across all boxes.
- System Alerts: Noteworthy system events. For example, if a box goes offline and is not online, a system alert will be shown on the dashboard.
- Daily Blocked Flows: A chart of the number of flows blocked per day.
- Daily Alarms and Rules: A graph of the number of alarms and rules your devices have recorded per day.
- Top Boxes by Blocked Flows: The boxes with the most blocked flows.
- Top Boxes by Security Alarms: The boxes with the most security alarms.
- Top Regions by Blocked Flows: The most common regions of the world where your blocked flows have originated.
- Activities: The latest actions that you or any other users took.
Inventory
You can open your Inventory via the left-hand panel. From this page, you can:
- Add and Remove Firewalla boxes
- View active boxes and status
- Create a group to easily manage multiple boxes together
Grouping multiple Firewalla boxes can help you filter data, manage views for different entities, and deploy your rules in different phases. For example, if you manage Firewalla boxes for multiple customers, and each customer has multiple locations, you could group each customer into a separate Group.
Seats are how you can manage boxes to your Inventory in MSP – each box added to your MSP instance requires a seat. For example, if you have 5 seats, you can manage up to 5 boxes, and seats can be empty if you are planning for the future. Each MSP Plan comes with 1 free seat, and Professional and Business Plan users can purchase additional seats. Learn more about seats and managing multiple boxes in our article on Managing Seats.
For detailed instructions on how to manage your Inventory, see our article on Adding and Removing Boxes in MSP.
View Options
Once you have created your Box Groups, you can click the dropdown button at the top of the page to select a Box Group. Firewalla MSP will only show you information relevant to the selected group. This feature can help scale the number of boxes managed by one MSP account.
Alarms
- Manage alarms across all or a selected group of boxes
You can search by Alarm type across all the Firewalla boxes you manage and filter with multiple Alarm types if you like.
3rd-Party Platform Integration
For advanced users, Firewalla MSP also allows you to integrate Firewalla alarms into other apps and flows using:
- IFTTT
- Slack
- Webhooks
Want your whole team to see important notifications in Slack? Want to receive an email, text, or an automated phone call when something bad is happening on your network? Then Integrations are for you. Learn more about how you can set up integrations.
Devices
Under Devices, you can search by Box, Device, Network, IP address, MAC address, Device Vendor, or Online/Offline Status.
On each device's detail page, you can see its name, device type, group, local domain, MAC address, IP address, network, vendor, online/offline status, activity history, rules, and alarms.
Rules
Rules allow you to search by Box, Action, Matching Condition, or the Device/Group/Network to which the rule applies. You can also create new rules, edit existing rules, and see the hit count of each rule across your Firewalla boxes.
To help you manage multiple Firewalla boxes easily, you can apply rules to all Firewalla boxes (or a selected group of Firewalla boxes) at one time. For example, when you create a rule on "all devices" from Firewalla MSP, the rule will be synced to all boxes in your inventory. Any newly joined boxes will have the global rules applied automatically.
Target Lists
Target Lists created on Firewalla MSP are shared across all boxes. Each list can contain up to 2000 targets. After creating a target list, you can create rules matching it and apply them to any device on any box.
On Firewalla MSP, you can create target lists owned by MSP instead of individual boxes. To make the "Owner" concept more clear and easy to manage, we've set up a few constraints:
- You can create MSP-owned target lists under the MSP global view or create box-owned target lists under an individual box view. Once a target list is made, the owner cannot be changed.
- When managing target lists under the MSP global view, you can see all the lists owned by MSP and Firewalla. These lists can create rules across different boxes and box groups.
- If you switch to an individual box's view (by clicking the inventory dropdown at the top of the page), you can see all the lists owned by MSP, Firewalla, and the box. You can also use these lists to create rules.
App Access for Target Lists:
To help you manage your Target Lists more easily, there are different levels of App Access for MSP-owned target lists in this release.
For Professional MSPs, all MSP-owned target lists can be used on any box. This means that you can now create and edit rules with MSP-owned target lists from both the MSP UI and the Firewalla app, just like you would for box- or Firewalla-owned target lists.
For Business MSPs, app access is divided into three types:
- Restricted: Same as before; MSP-owned target lists can only be used/edited on the MSP UI.
- Read-Only: The Firewalla app can create/edit rules using MSP-owned target lists.
- Editable: In addition to creating/editing rules, you can edit the MSP-owned target list by adding domains or IPs to it. Learn more about Updating a Target List.
You'll see your target lists by creating a new rule (Rules -> Add Rule) in the Firewalla app. For the rule target, tap Target List. You'll see all your target lists, including any Local (box-owned), MSP (MSP-owned, with Read-Only or Editable Access), and System (Firewalla-owned) lists.
Flows
On the Flows page, you can search flows by Box, Block Status, Source, Destination, Port, and Device. Since Firewalla MSP processes and stores data centrally in the cloud, you can search through flows much faster than in my.firewalla.com. Each flow is saved for 30 days. You can extend this even further in the future for an additional cost.
Filtering Flows:
When troubleshooting blocked flows, you may wonder why a flow was blocked in the first place. We've added a new column to the flows table called Blocked By. This column shows you the reason why a flow was blocked, whether by the Ingress Firewall, Ad Block, a specific block or time limit rule, or some other policy. You can easily see and filter flows by block reason.
If you see a suspicious flow or are simply curious about the reputation of a flow, you can perform a 3rd-party platform security lookup directly from the flows list. Firewalla MSP supports Cisco Talos, Google Safe Browsing, Virus Total, Shodan, AbuseIPDB, and more.
VPN Mesh
With Firewalla VPN mesh, you can:
-
Seamlessly connect multiple boxes from the MSP interface
-
Create and manage different networks of boxes
-
Easily control who gets to access each VPN mesh
Reports
Firewalla Reports makes it easy to organize, search, and sort data from your boxes. Reports can help you quickly identify important stats and better understand what's happening on your network. You can do things like:
- Filter your data by Box, Status, Destination, Device, Category, Region, Upload/Download, and more.
- Choose a custom time or date range.
- Select columns to display the data you're interested in.
- Sort your data by data transfer amount or flow count.
Events
- Display MSP-specific events, such as when a box goes online/offline.
- Activities will show historical modifications to the MSP system, making this a good place to audit changes.
You can see a 30-day history of significant events and activities in your system by clicking Events in the left navigation panel. A box going online or offline will trigger a System Event. When you or other admins make changes, such as creating and updating a rule, Firewalla MSP logs these actions as Activities. More system events and user activities, including creating and updating target lists, are upcoming in future releases.
Temporary Access (Business only)
You can activate Temporary Access on any box to fully control it using the Firewalla App on any mobile phone.
Turn on Temporary Access by first navigating to Inventory in the lefthand bar. Then, click the box you'd like to control using Firewalla MSP. Scroll down until you see the Temporary Access option and click on it.
Toggle Temporary Access to On and scan the generated code using your phone. You'll then be able to make complex network configurations or troubleshoot a customer's box using the mobile app without having to go through the pairing process or having physical access to the Firewalla box.
Once you've enabled Remote Access, you should see messages like this on Firewalla MSP and the Firewalla App.
API
You can use our API to interact with Firewalla MSP and boxes programmatically. Learn more about how to use the Firewalla MSP API.
For example, here's what accessing the names and IP addresses of devices that are online looks like using the Firewalla MSP API:
curl -s 'https://mymsp.firewalla.net/v1/device/list' \
-H 'Authorization: Token 70f3d2--------51878fdf' \
| jq '[.[] | select(.online==true) | {name: .name, ip: .ip}]'
[
{
"name": "AppleTV",
"ip": "192.168.203.67"
},
{
"name": "Firewalla",
"ip": "192.168.203.157"
},
{
"name": "raspberrypi",
"ip": "192.168.194.183"
},
{
"name": "MyCamera",
"ip": "192.168.194.166"
}
]
Exporting Data
You can save your device list and alarm data as CSV files using the Export button at the top right of the screen. We may include more types of data in the future.
Box Update Management
Choose when your boxes get updated by setting a maintenance window for each of them, ensuring updates only happen at safe hours for your home and business.
- Professional plan users can specify any hour during the day for their maintenance window.
- Business plan users can specify any hour and day of the week for their maintenance window.
To check for updates, set your maintenance window, or see what version your box is running, navigate to your box's settings page by clicking on its name from the Inventory page. Scroll down to the Box Update section. If there's an update available, you'll see an Update Now button.
Click on Maintenance Window to modify your maintenance window.
Additionally, you can now see and change each box's individual timezone. On your box's detail page, scroll to the Basic section and click Time Zone.
Version Upgrade Options
You can directly manage updates to your MSP instance. In the MSP Update section on the MSP Settings page, you can see what version of MSP you're running, check if any updates are available, and schedule updates by setting a maintenance window.
- Professional plan users can specify an hour in any time zone for their maintenance window.
- Business plan users can specify an hour, a day of the week, and a time zone.
When a new update is available, you'll see a banner with a summary of new features and the release notes.
- If you're a Professional plan user or an Early Access/Beta user, you can choose to update immediately or let your MSP automatically update itself during your maintenance window.
- If you're a Business plan user not in the Beta program, you can also choose to schedule the update within the next 7 days.
You can join our Early Access or Beta Program to try new features earlier. Scroll down to the MSP Update section and click the Release dropdown to choose between:
- Early Access – access the earliest versions of new features coming to MSP.
- Beta – try out new MSP features before they're officially released.
- Production – the most stable version of MSP with the best reliability and performance.
Your MSP instance will upgrade or downgrade automatically if you switch to the release with a different version. Please allow 1-2 minutes after switching your MSP version to complete the process.
Setting up Firewalla MSP
If you're interested in setting up Firewalla MSP, please go to firewalla.net.
Logging into Firewalla MSP
To log in, go to https://yourdomain.firewalla.net. Type in the username/password you signed up with. When you first log in to Firewalla MSP, it will guide you through setting your password.
If you want to add an extra layer of protection to your account, you may set up Two-Factor Authentication with an authenticator app. We recommend using cloud-based TOTP apps such as 1Password, Authy, Google Authenticator, or Microsoft Authenticator.
You can turn on/off Two-Factor Authentication or change your password at any time in Account -> Account Settings -> Access section.
Adding Firewalla Boxes to your Inventory
Firewalla Gold and Purple series and Firewalla Blue Plus can be managed with Firewalla MSP. See Adding and Removing Boxes from MSP Inventory for details.
Adding or Removing MSP Users (Business only)
While there can be only one MSP owner, you can invite additional users to give them access to most MSP features. Unlike Owners, Members have:
- no access to billing features
- the ability to invite additional members
To invite or remove additional Users, under the email address at the top right, go to MSP Settings.
Cost
- See https://firewalla.net for pricing.
FAQ
-
Can I still log in to my.firewalla.com?
Once a Firewalla box is linked with the MSP instance, it cannot be managed by my.firewalla.com. You can remove a box from MSP at any time, but you will lose stats beyond the last 24 hours.
-
I just purchased an MSP plan. How do I set up my account?
After purchasing your new MSP plan, we'll start setting up your instance right away (Business plan users will be redirected to a page where you can enter your vanity domain).After about 10 minutes, you should receive an email with a link to your new instance. You'll then be prompted to log in and add boxes.
-
Can I still use the App after joining MSP?
Yes. MSP will not impact how you are using the app.
-
Will my.firewalla.com go away or change in any way?
my.firewalla.com will not go away, and new features will still be added wherever possible. While hardware performance limits our ability to put all of the features of the MSP offering into my.firewalla.com, we will continue offering and updating our web interface for free.
-
Does MSP limit or change how I manage my Firewalla boxes in the mobile app?
In the app you will see if a particular Firewalla is managed by an MSP and the MSP name. Other than that, there is no change to how Firewalla boxes are managed in the mobile app. For example:
- A mobile device can manage many Firewalla boxes.
- A Firewalla box can be managed by multiple mobile devices if you allow the pairing.
- A Firewalla box can be added to the inventory of an MSP instance. This changes nothing as far as mobile devices that are paired to that box.
- Having access to a Firewalla via mobile app doesn't mean you automatically have access to the MSP instance. For example, if you are an MSP managing a Firewalla for a customer, the customer can access their own Firewalla but would not have access to the MSP instance.
- If you own more than one Firewalla, some can be managed by an MSP instance while others can not. Any that are not included in MSP will still be accessible via https://my.firewalla.com/ as always.
-
What are the differences between Firewalla MSP and my.firewalla.com?
Unlike Firewalla MSP, my.firewalla.com is a proxy service. We host the management interface and have that interface interact with your Firewalla directly via my.firewalla.com. Only cache data is stored in the cloud memory, with no configuration or runtime data. Here's a table with all the differences:
Firewalla MSP my.firewalla.com Intended Customer Security professionals
and Managed Security Providers and power users.Individual users Data Storage In-cloud & on-device On-device Login requirements Email Firewalla App Typical deployment strategy Multiple admins One admin View Scope Unlimited number of
Firewalla boxesOne Firewalla box Improved Search Faster search across all boxes API Access ✔️ Slack/IFTTT integration ✔️ Deploy rules across multiple Firewalla boxes ✔️ Private domain ✔️ Fees Fee-Based (see https://firewalla.net) Free -
What if I want to manage more than 100 Firewalla boxes in the Business Plan?
Please get in touch with help@firewalla.com for pricing and to arrange a dedicated server.
-
What if I want to manage more than three units in the Professional Plan?
You can now add more than 3 seats to the new Professional Plan. To add more seats, see How Do I Add or Remove Seats?
If you are still on the original Professional Plan that automatically includes three free seats, and would like to add more seats, please email help@firewalla.com to change your plan to the new Professional Plan.
- Where does Firewalla MSP store data? Firewalla MSP is container-based. The container run inside Amazon AWS servers located in the USA. The container will store all active data (flows) and policies from all your managed Firewalla boxes. All data stored at rest are encrypted. Database storage for queries cannot be encrypted.
Comments
43 comments
Thank you for writing up this article.
Looks to be fun. Just wish I had a purple so I could play with routing and vpn technique. But thanks a ton Guys for providing this for us to try out!
I have 4 Gold's & 1 Blue+. Too bad beta only does 3.
@broadnetwork created a ticket for you, we can increase the limit for early access mode.
I signed up a few days ago. Any way to find out where we are on the list? Thanks!
@Bryan
Just invited, please check your email inbox.
This is a neat concept; look forward to seeing how this unfolds.
Does the MSP have the same 20 target list limit as when creating target lists on the box? Also, is there currently a way to add additional users to be able to log into the MSP and access the account, or do we have to share credentials for now?
Try to add more target list, I think we increase that to 2000 or so.
Do you mean invite more people into your MSP container? That has to be done manually at the moment.
@Firewalla - yes, I was going to add some boxes but wanted to add an additional user. It isn't a big deal to share creds with this individual, but, I would prefer to use 2FA once available, so that will be an issue at that time. Ideally role based access would be best, so I can limit their permissions, but that is a long term goal.
On a related note, I've been hesitant to really start adopting the MSP portal because of the lack of a pricing model. I'd hate to start using the APIs for alerts, automation, etc., or start building shared target lists only to find it cost prohibitive. I've seen mention about the possibility of a "lite" version of the MSP which would lack HA or other features to cut cost. Also, this article reads as if beta users will remain free, but it isn't clear what limits there may be.
Once this becomes a paid service, do we have the option to roll back to pre-MSP?
@Dion, pre-MSP is just the my.firewalla.com, yes, you can go back
You are spinning up a new container for each user correct? Could this be something that is bought and installed on our own server in house?
… Building on @James’ thought: or even run the container directly on the Firewalla itself (for Gold), exposing the API and integrations and management locally, using the same code than MSP?
The container themselves are tied into the aws infrastructure, so it is not possible move them around. they are essentially, cloud based by design.
Instructions need to be updated.
Should be ....
Adding Firewalla Boxes to your Inventory
To add a Firewalla box to your management inventory, follow these steps.
Holy cow... How am I just now seeing this???
WTG Firewalla. Can't wait to drive it!
We need more functionality within the MSP portal. I would like to be able to get into the router and have the same functions and see the same User Interface as the IOS app. We should be able to change settings on the router from the MSP and log in remotely to fix issues to all of our routers in the field. I don't want to have to pull out my phone to attempt to fix an issue in the field. Full computer access is needed.
This introduction talks about multiple admins. How do I add a new admin?
@Shew
Right now it can only be added by us, configuring in the backend. But we are working on it to support it in the UI.
I am using this as a power user and it is GREAT! May I make a suggestion? Once you start charging for it if the only 2 tiers are the basic web app and unlimited, it will probably be priced out of power users budgets. I would suggest the FREE tier (1 box basic) and then a power home user tier (1 box but with the MSP dashboard) and then 2-3 or whatever, and then 3-99, 100-1000, etc. Otherwise a lot of us "power users" may get priced out.
There have been discussions on a cheaper tier for not MSP's; since amazon charges us for the containers/extra storage/network bandwidth, there is no way this cheaper tier will be free.
Absolutely! I would expect to pay something for it. But I would expect to pay less than people who are managing more boxes. Anyway, thanks for listening.
Looking to collect all blocked in-bound IP addresses and the source country. This is my API call.
curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' | jq '.[] | {ip,blocked,fd,country} | select(.blocked) | select(.fd=="in")'
That gives me results that look like ...
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
But this is nowhere near the number of blocked flows on the MSP portal or mobile app. Also, from the API I can't get any of the blocked inbound flows.
What am I doing wrong.
And even if we assume I don't understand what "fd" represents, I still get very few results.
Trying this call ...
url -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad'' | jq '.[] | {ip,blocked,fd,country} | select(.blocked) '
I still only get ...
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
{
"ip": "41.214.134.201",
"blocked": true,
"fd": "out",
"country": "MA"
}
{
"ip": "89.248.163.175",
"blocked": true,
"fd": "out",
"country": "NL"
}
{
"ip": "",
"blocked": true,
"fd": "in",
"country": ""
}
{
"ip": "80.66.83.55",
"blocked": true,
"fd": "out",
"country": "RU"
}
{
"ip": "89.248.163.175",
"blocked": true,
"fd": "out",
"country": "NL"
}
Hi Chris,
By default the API returns 200 responses. If you need more or less than, that you can specify like so:
The start/end times are in unix epoch format are optional, but give you bracket precisely the time inspected.
Thank you. Please consider documenting that somewhere ... any other tricks you can share?
I tried setting the limit to 100, 300, and 500 and still only was able to get 200 records returned. Seems like no matter what the "limit" is set to only 200 records are returned.
What am I doing wrong?
┌──(pi㉿x)-[~]
└─$ curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' --data '{ "limit": 500}' | jq '.[] | {ip,fd,blocked}' | grep fd | wc -l
200
┌──(pi㉿x)-[~]
└─$ curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' --data '{ "limit": 300}' | jq '.[] | {ip,fd,blocked}' | grep fd | wc -l
200
┌──(pi㉿x)-[~]
└─$ curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --header ' Authorization: Token dfd143d.............016ad' --data '{ "limit": 100}' | jq '.[] | {ip,fd,blocked}' | grep fd | wc -l
200
Adding the date range for the past 12 months (yes, I know that the data don't go back more than 24 hours) still doesn't give the right results.
curl -s --request POST --url 'https://central.firewalla.net/v1/flows/query' --data '{ "limit": 500, "start": 1646110800, "end": 1677686238}' --header ' Authorization: Token dfd143d.............016ad' | grep ip | grep 89\.248\.163\.110
"ip": "89.248.163.110",
Certainly more than enough data to return.
Let's assume I am going about this the completely wrong way. How can I use the API MSP feature to get a list of all blocked inbound connection attemps?
Is the Beta still open? I would love to give this a try.
Hello,
I filled the form days ago but never got the invite. Could you please check if I'm in the list?
Thanks,
Manuel
Please be patient, we are working on an automatic signup system now, may take a week or two to get it ready. When that is done, we will don't need the waiting list.
If you are on the list, please do watch out an email from us.
Hello team,
I am receiving this message since last saturday:
Please sign in to leave a comment.