Firewalla MSP is a Managed Security Portal designed for security and infosec professionals to easily manage multiple Firewalla boxes from anywhere. In this article, we'll introduce Firewalla MSP, review its key features and capabilities, show you how to set it up, and answer some frequently asked questions.

Sign up at https://firewalla.net. All plans include a 3-month trial at a discounted rate! 

What is Firewalla MSP? 

Firewalla MSP is a web interface where you can conveniently and efficiently manage a fleet of Firewalla boxes. As a cloud-based management system, each management portal is an isolated container within the Firewalla Cloud. Managed instance data is fully isolated within this container.

Some of Firewalla MSP's main highlights include:

• Email-based login. You can sign in using your email address and password.
• Two-factor authentication. Add extra authentication for Business and Professional plans.
• A private domain (e.g., mycompany.firewalla.net). You can use your company name to create a vanity subdomain for Firewalla MSP (MSP Business plan only). MSP Professional plan users use a [random].firewalla.net address.
• A container-based centralized management interface. Firewalla MSP stores data related to Firewalla boxes you manage in a unique encrypted AWS container. It is never mixed with anyone else's data. It is only accessible to the admins you grant access to, much like how your Firewalla box is only accessible to the mobile devices you allow.
• A global view. View all your Firewalla boxes and devices at once. While you'll still have the ability to manage individual Firewalla boxes, you can also use Firewalla MSP to see all:
  • Alarms
  • Rules
  • Target Lists
  • Flows
• The ability to set policies on multiple boxes. You can deploy rules across multiple Firewalla boxes as quickly as on a single box.
• Box update management. Choose when your boxes get updates, ensuring they're only installed at safe hours for your home and business.

And for advanced users:

• Reporting and Extended logging and analytics. Firewalla MSP processes and stores data centrally in the cloud. This also means you can easily and quickly search through all your logs.
• Programmable APIs/Webhook/Slack/IFTTT integration. You can get Firewalla alerts in Slack or use IFTTT to trigger any action.
• VPN Mesh. Allows you to connect multiple boxes seamlessly, from anywhere in the world.

Firewalla MSP Features

To streamline managing all your Firewalla boxes, Firewalla MSP has unique features that make configuring one box as easy as configuring one hundred boxes. These include:

General

• Dashboard
• Inventory
• Reports

Insights

• Alarms
• Devices
• Flows
• Events
• Network Performance

Controls

• Network Manager
• Wi-Fi Manager 
• Rules
• Target Lists
• VPN Mesh
• VPN Client
• MSP Active Protect

Resources

• API
• Exporting Data

MSP & Box Management

• Temporary Access (Business only)
• Box Update Management
• Version Upgrade Options
• Managing Admins

• Setting Up Firewalla MSP
• FAQ
• Latest Release Notes: Version 2.9

Dashboard

The Dashboard gives an overview of all boxes over the last 30 days. Its modules include:

1. Online/Offline Boxes: An overview of all Firewalla boxes that are online or offline.
2. Total Number of Alarms and Rules: An overview of all alarms and rules across all boxes.
3. System Alerts: Noteworthy system events. For example, if a box goes offline and is not online, a system alert will be shown on the dashboard.
4. Daily Blocked Flows: A chart of the number of flows blocked per day.
5. Daily Alarms and Rules: A graph of the number of alarms and rules your devices have recorded per day.
6. Top Boxes by Blocked Flows: The boxes with the most blocked flows.
7. Top Boxes by Security Alarms: The boxes with the most security alarms.
8. Top Regions by Blocked Flows: The most common regions of the world where your blocked flows have originated.
9. Activities: The latest actions that you or any other users took.

Inventory

You can open your Inventory via the left-hand panel. From this page, you can:

• Add and Remove Firewalla boxes
• View active boxes and status
• Create a group to easily manage multiple boxes together
• Manage Mobile App Access

Grouping multiple Firewalla boxes can help you filter data, manage views for different entities, and deploy your rules in different phases. For example, if you manage Firewalla boxes for multiple customers, and each customer has multiple locations, you could group each customer into a separate Group.

Seats are how you can manage boxes to your Inventory in MSP – each box added to your MSP instance requires a seat. For example, if you have 5 seats, you can manage up to 5 boxes, and seats can be empty if you are planning for the future. Each MSP Plan comes with 1 free seat, and Professional and Business Plan users can purchase additional seats. Learn more about seats and managing multiple boxes in our article on Managing Seats.

For detailed instructions on how to manage your Inventory, see our article on Adding and Removing Boxes in MSP.

View Options

Once you have created your Box Groups, you can click the dropdown button at the top of the page to select a Box Group. Firewalla MSP will only show you information relevant to the selected group. This feature can help scale the number of boxes managed by one MSP account. 

Mobile App Access Management

With MSP 2.9 and Firewalla App 1.67, you can manage mobile access of all paired devices, ensuring each user only has the level of visibility they need in the Firewalla mobile app.

Choose from three different access levels: 

1. Full Access: Full administrative control with access to all features and settings.
2. Limited: A simplified mobile app view for managing non-technical settings.
3. No Access: The device cannot view or control the box.

For detailed instructions and limitations, see our article on Mobile App Access Control.

Reports

Firewalla Reports makes it easy to organize, search, and sort data from your boxes. Reports can help you quickly identify important stats and better understand what's happening on your network. You can do things like:

• Filter your data by Box, Status, Destination, Device, Category, Region, Upload/Download, and more.
• Choose a custom time or date range.
• Select columns to display the data you're interested in.
• Sort your data by data transfer amount or flow count.
• Export reports to a CSV file.

Alarms

• 3rd-Party Platform Integration

Manage Alarms across all or a selected group of boxes. You can search by Alarm type across all the Firewalla boxes you manage and filter with multiple Alarm types if you like.

3rd-Party Platform Integration

For advanced users, Firewalla MSP also allows you to integrate Firewalla alarms into other apps and flows using:

• IFTTT
• Slack
• Webhooks

Want your whole team to see important notifications in Slack? Want to receive an email, text, or automated phone call when something bad is happening on your network? Then Integrations are for you. Learn more about how you can set up integrations.

Devices

Under Devices, you can search by Box, Device, Network, IP address, MAC address, Device Vendor, or Online/Offline Status.

On each device's detail page, you can see its name, device type, group, local domain, MAC address, IP address, network, vendor, online/offline status, activity history, rules, and alarms.

Flows

• Filtering Flows
• Searching Flows with Firewalla AI

On the Flows page, you can search network and local flows by Box, Block Status, Source, Destination, Port, and Device. Since Firewalla MSP processes and stores data centrally in the cloud, you can search through flows much faster than in my.firewalla.com. Each flow is saved for 30 days, and for an additional cost, you can extend this to 180 days.

Filtering Flows

When troubleshooting blocked flows, you may wonder why a flow was blocked in the first place. The Blocked By column shows why a flow was blocked, whether by the Ingress Firewall, Ad Block, a specific block or time limit rule, or some other policy. You can easily see and filter flows by block reason.

If you see a suspicious flow or are simply curious about the reputation of a flow, you can perform a 3rd-party platform security lookup directly from the flows list. Firewalla MSP supports Cisco Talos, Google Safe Browsing, Virus Total, Shodan, AbuseIPDB, and more.

Searching Flows with Firewalla AI

With MSP 2.9, you can use Firewalla AI to automatically generate the correct search syntax for you.

Type your query in the Flows Search Bar, then click the Firewalla AI button, or click the gradient-colored text that appears below your search (Shortcut: Ctrl/Command + Enter). 

For example, you could ask AI to check for "gaming on my laptop" or "all Reddit traffic since August."

Learn more about Firewalla AI.

Events

• Display MSP-specific Events, such as when a box goes online/offline.
• Activities will show historical modifications to the MSP system, making this a good place to audit changes.

You can see a 30-day history of significant events and activities in your system by clicking Events in the left navigation panel. A box going online or offline will trigger a System Event. 

When you or other admins make changes on the MSP Interface, such as creating and updating a rule, Firewalla MSP logs these actions as Activities. More system events and user activities, including creating and updating target lists, are upcoming in future releases. 

Network Performance

See a summary of your network performance over the last 24 hours, your Internet speed test results over the last 7 days, and your network quality test results in one convenient place. 

Click on your speed test or quality test results to see a full list of Firewalla's tests. Easily find trends or discrepancies using the graphs.

Network Manager

• Network Editing

When you click into an individual box in Firewalla MSP, you can see details about its LANs, VPNs, and WANs in our Network Manager – just like in the Firewalla app. This makes it easy to troubleshoot connection problems and find important network configuration information right from MSP.

Network Editing

Click the Edit button in the top right corner of the Network Manager to create, edit, and delete your LANs and link aggregation groups from the MSP interface. With MSP 2.9, you can also manage bridges for boxes in bridge mode.

Note: 

• Creating or editing WAN connections or the main bridge network is not supported, as doing so may cause internet connectivity issues that could be difficult to resolve or troubleshoot remotely if not done properly.

Click on the NAT Settings tab of the Network Manager to edit your NAT, including Source NAT and Source Networks, NAT passthrough, UPnP, DMZ, and Port Forwarding.

Wi-Fi Manager

If you have the Firewalla Access Point 7, you can manage your Wi-Fi and AP7s with MSP 2.9. This includes managing your SSIDs and microsegments, Access Points, settings, and VqLAN/Device Isolation. You can also view and search devices by Wi-Fi and AP7 connection details.

To manage your Wi-Fi and AP7s, click the Wi-Fi tab from an individual box view with at least one AP7 paired. 

NOTE: AP7s can only be added to the box by pairing locally via the Firewalla App. For a complete overview of AP7 functionality, see our Getting Started with AP7 guide.

Rules

Rules allow you to search by Box, Action, Matching Condition, or the Device/Group/Network to which the rule applies. You can also create new rules, edit existing rules, and see the hit count of each rule across your Firewalla boxes.

To help you manage multiple Firewalla boxes easily, you can apply rules to all Firewalla boxes (or a selected group of Firewalla boxes) at one time. For example, when you create a rule on "all devices" from Firewalla MSP, the rule will be synced to all boxes in your inventory. Any newly joined boxes will have the global rules applied automatically.

Note: You may see a rule on your box that blocks all traffic from the Internet. This is your Ingress Firewall, which prevents external traffic from entering your network. Please do not delete this rule. 

Learn more about Firewalla's Ingress and Egress Firewalls here. 

Target Lists

• Import 3rd Party Target Lists
• App Access for Target Lists

Target Lists created on Firewalla MSP are shared across all boxes. Each list can contain up to 2000 targets. After creating a target list, you can create rules matching it and apply them to any device on any box.

On Firewalla MSP, you can create target lists owned by MSP instead of individual boxes. To make the "Owner" concept more clear and easy to manage, we've set up a few constraints:

• You can create MSP-owned target lists under the MSP global view or create box-owned target lists under an individual box view. Once a target list is made, the owner cannot be changed.
• When managing target lists under the MSP global view, you can see all the lists owned by MSP and Firewalla. These lists can create rules across different boxes and box groups.
• If you switch to an individual box's view (by clicking the inventory dropdown at the top of the page), you can see all the lists owned by MSP, Firewalla, and the box. You can also use these lists to create rules. 

Import 3rd Party Target Lists

On Firewalla MSP, you can also import popular, open-source target lists from 3rd-party owners. These lists are synced to your MSP instance regularly after being imported. Learn more about importing target lists.

App Access for Target Lists

To help you manage your Target Lists more easily, there are different levels of App Access for MSP-owned target lists in this release.

For Professional MSPs, all MSP-owned target lists can be used on any box. This means that you can now create and edit rules with MSP-owned target lists from both the MSP UI and the Firewalla app, just like you would for box- or Firewalla-owned target lists.

For Business MSPs, app access is divided into three types:

• Restricted: Same as before; MSP-owned target lists can only be used/edited on the MSP UI.
• Read-Only: The Firewalla app can create/edit rules using MSP-owned target lists.
• Editable: In addition to creating/editing rules, you can edit the MSP-owned target list by adding domains or IPs to it. Learn more about updating a target list.

You'll see your target lists by creating a new rule (Rules -> Add Rule) in the Firewalla app. For the rule target, tap Target List.

You'll see all target lists, including any Local (box-owned), MSP (MSP-owned, with Read-Only or Editable Access), and System (Firewalla-owned) lists.

VPN Mesh

With Firewalla VPN Mesh, you can:

• Seamlessly connect multiple boxes from the MSP interface
• Create and manage different networks of boxes
• Easily control who gets to access each VPN mesh

VPN Client

• IPsec VPN Client

Similar to the Firewalla App, you can manage your VPNs with the VPN Client on MSP. From an individual box on MSP, easily view and manage your VPN Client configurations, VPN Groups, and 3rd-party VPNs using OpenVPN, WireGuard, AnyConnect, or IPsec protocols.

• Site to Site & Remote Access VPNs are read-only on MSP UI. To connect boxes, we recommend using VPN Mesh.
• VPN connections created on MSP are not editable on the Firewalla App, but they can still be turned on/off and applied to devices.

IPsec VPN Client

For Gold series boxes managed by Firewalla MSP, you can configure IPsec as the VPN protocol for 3rd-party VPNs. Due to its complexity, IPsec can only be configured via the MSP interface. It is only available with Firewalla as the VPN Client to a 3rd-party VPN Server.

For some examples on setting up IPsec, please consult these guides:

• How to set up IPsec VPN with Unifi UDM
• How to set up IPsec VPN with AWS
• How to set up IPsec VPN with pfSense
• How to set up IPsec VPN with Cloudflare

MSP Active Protect

MSP Active Protect leverages extended data visibility and Firewalla Intelligence to help you with: 

• Improving accuracy by archiving alarms identified as normal behavior, reducing false positives
• Performing deeper behavioral analytics to identify anomalies, further protecting your network

MSP Active Protect is enabled by default. Click Active Protect on the left navigation bar on a single box view (or Protect from the global box view) to turn on/off Alarm Optimizer and Advanced Behavioral Alarm.

Please note that this feature is only available to boxes in 30-Day Flows and 180-Day Flows seats.

API

You can use our API to interact with Firewalla MSP and boxes programmatically. Learn more about how to use the Firewalla MSP API.

For example, here's what accessing the names and IP addresses of devices that are online looks like using the Firewalla MSP API:

curl -s 'https://mymsp.firewalla.net/v1/device/list' \
-H 'Authorization: Token 70f3d2--------51878fdf' \
| jq '[.[] | select(.online==true) | {name: .name, ip: .ip}]'

[
  {
    "name": "AppleTV",
    "ip": "192.168.203.67"
  },
  {
    "name": "Firewalla",
    "ip": "192.168.203.157"
  },
  {
    "name": "raspberrypi",
    "ip": "192.168.194.183"
  },
  {
    "name": "MyCamera",
    "ip": "192.168.194.166"
  }
]

Exporting Data

You can save data as CSV files using the Export button on certain features. We currently support exporting:

• Reports
• Alarms
• Device list
• Flows

We may include more types of data in the future.

Temporary Access (Business only) 

You can activate Temporary Access on any box to fully control it using the Firewalla App on any mobile phone. 

Turn on Temporary Access by first navigating to Inventory in the left-hand bar. Then, click the box you'd like to control using Firewalla MSP. Scroll down until you see the Temporary Access option and click on it.

Toggle Temporary Access to On and scan the generated code using your phone. You'll then be able to make complex network configurations or troubleshoot a customer's box using the mobile app without having to go through the pairing process or having physical access to the Firewalla box. 

Once you've enabled Remote Access, you should see messages like this on Firewalla MSP and the Firewalla App.

Box Update Management

Choose when your boxes get updated by setting a maintenance window for each of them, ensuring updates only happen at safe hours for your home and business.

• Professional plan users can specify any hour during the day for their maintenance window.
• Business plan users can specify any hour and day of the week for their maintenance window.

To check for updates, set your maintenance window, or see what version your box is running, navigate to your box's settings page by clicking on its name from the Inventory page. Scroll down to the Box Update section. If there's an update available, you'll see an Update Now button. 

Click on Maintenance Window to modify your maintenance window. 

Additionally, you can now see and change each box's individual timezone. On your box's detail page, scroll to the Basic section and click Time Zone. 

Version Upgrade Options

You can directly manage updates to your MSP instance. In the MSP Update section on the MSP Settings page, you can see what version of MSP you're running, check if any updates are available, and schedule updates by setting a maintenance window.

• Professional plan users can specify an hour in any time zone for their maintenance window.
• Business plan users can specify an hour, a day of the week, and a time zone.

When a new update is available, you'll see a banner with a summary of new features and the release notes.

• If you're a Professional plan user or an Early Access/Beta user, you can choose to update immediately or let your MSP automatically update itself during your maintenance window.
• If you're a Business plan user not in the Beta program, you can also choose to schedule the update within the next 7 days.

You can join our Early Access or Beta Program to try new features earlier. Scroll down to the MSP Update section and click the Release dropdown to choose between:

• Early Access – access the earliest versions of new features coming to MSP.
• Beta – try out new MSP features before they're officially released.
• Production – the most stable version of MSP with the best reliability and performance.

Your MSP instance will upgrade or downgrade automatically if you switch to the release with a different version. Please allow 1-2 minutes after switching your MSP version to complete the process.

Managing MSP Admins (Business only)

For Business MSPs, you can invite additional Admins (up to 9 Members + 1 Owner, for a total of 10) to manage your MSP portal.

To invite a new Member, hover your mouse over the top right corner of the MSP UI, and click MSP settings. In the Members section, tap Invite Member and enter the new Member's email address.

Two types of Admin roles are supported: 

• Owner: The one who bought the MSP instance. The Owner has full access to the MSP portal, and they can control the access of others by adding or removing Members.
• Member: Invited by the MSP Owner. Members have full access to the MSP portal except:
  • They cannot add or remove Members
  • They cannot view or change payment and plan info

Setting up Firewalla MSP

If you're interested in setting up Firewalla MSP, please go to firewalla.net.

Logging into Firewalla MSP

To log in, go to https://yourdomain.firewalla.net. Type in the username/password you signed up with. When you first log in to Firewalla MSP, it will guide you through setting your password.

If you want to add an extra layer of protection to your account, you may set up Two-Factor Authentication with an authenticator app. We recommend using cloud-based TOTP apps such as 1Password, Authy, Google Authenticator, or Microsoft Authenticator.

You can turn on/off Two-Factor Authentication or change your password at any time in Account -> Account Settings -> Access section.

Adding Firewalla Boxes to your Inventory

Firewalla Gold and Purple series and Firewalla Blue Plus can be managed with Firewalla MSP. See Adding and Removing Boxes from MSP Inventory for details. 

Cost

• See https://firewalla.net for pricing.

FAQ

1. Can I still log in to my.firewalla.com? 
   Once a Firewalla box is linked with the MSP instance, it cannot be managed by my.firewalla.com. You can remove a box from MSP at any time, but you will lose stats beyond the last 24 hours. 
    
2. I just purchased an MSP plan. How do I set up my account?
   After purchasing your new MSP plan, we'll start setting up your instance right away (Business plan users will be redirected to a page where you can enter your vanity domain). After about 10 minutes, you should receive an email with a link to your new instance. You'll then be prompted to log in and add boxes.
    
3. Can I still use the App after joining MSP? 
   Yes. MSP will not impact how you are using the app. 
    
4. Will my.firewalla.com go away or change in any way?
   my.firewalla.com will not go away, and new features will still be added wherever possible. While hardware performance limits our ability to put all of the features of the MSP offering into my.firewalla.com, we will continue offering and updating our web interface for free.
    
5. Does MSP limit or change how I manage my Firewalla boxes in the mobile app? 
   In the app you will see if a particular Firewalla is managed by an MSP and the MSP name. Other than that, there is no change to how Firewalla boxes are managed in the mobile app. For example:
   • A mobile device can manage many Firewalla boxes.
   • A Firewalla box can be managed by multiple mobile devices if you allow the pairing.
   • A Firewalla box can be added to the inventory of an MSP instance. This changes nothing as far as mobile devices that are paired to that box.
   • Having access to a Firewalla via mobile app doesn't mean you automatically have access to the MSP instance. For example, if you are an MSP managing a Firewalla for a customer, the customer can access their own Firewalla but would not have access to the MSP instance.
   • If you own more than one Firewalla, some can be managed by an MSP instance while others can not. Any that are not included in MSP will still be accessible via https://my.firewalla.com/ as always.
      

6. What are the differences between Firewalla MSP and my.firewalla.com?

   Unlike Firewalla MSP, my.firewalla.com is a proxy service. We host the management interface and have that interface interact with your Firewalla directly via my.firewalla.com. Only cache data is stored in the cloud memory, with no configuration or runtime data. Here's a table with all the differences:

   	Firewalla MSP	my.firewalla.com
   Intended Customer	Security professionals and Managed Security Providers and power users.	Individual users
   Data Storage	In-cloud & on-device	On-device
   Login requirements	Email	Firewalla App
   Typical deployment strategy	Multiple admins	One admin
   View Scope	Unlimited number of Firewalla boxes	One Firewalla box
   Improved Search	Faster search across all boxes
   API Access	✔️
   Slack/IFTTT integration	✔️
   Deploy rules across multiple Firewalla boxes	✔️
   Private domain	✔️
   Fees	Fee-Based (see https://firewalla.net)	Free

    

7. What if I want to manage more than 100 Firewalla boxes in the Business Plan?

   Please get in touch with help@firewalla.com for pricing and to arrange a dedicated server.
    

8. What if I want to manage more than three units in the Professional Plan?

   You can now add more than 3 seats to the new Professional Plan. To add more seats, see How Do I Add or Remove Seats?

   If you are still on the original Professional Plan that automatically includes three free seats, and would like to add more seats, please email help@firewalla.com to change your plan to the new Professional Plan.

9. Where does Firewalla MSP store data? Firewalla MSP is container-based. The container run inside Amazon AWS servers located in the USA. The container will store all active data (flows) and policies from all your managed Firewalla boxes. All data stored at rest are encrypted. Database storage for queries cannot be encrypted.