Firewalla App version 1.67 is available to all users.

1. New AP7 Features
   1. WPA2-Enterprise & WPA3-Enterprise Security and RADIUS
   2. Bridge Mode Support for Firewalla AP7
   3. Block Devices From Connecting to Specific AP7s
   4. Adaptive DFS Selection
   5. AP7 Backhaul Mode Selection
2. New Box Features
   1. Limited Mobile Access with Firewalla MSP
   2. Configure IPv6 DNS Servers
   3. Mute Upload Alarms by Local Port
   4. New Target List - NSFW AI List
   5. RADIUS - For 3rd-Party APs 
   6. App Migration (iOS only)
3. Enhancements
4. Bug Fixes
5. Known Issues

New AP7 Features

These features are specific to Firewalla Access Point 7. 

1. WPA2-Enterprise & WPA3-Enterprise Security and RADIUS

Firewalla AP7 now supports Enterprise Wi-Fi Security! Enterprise Wi-Fi uses per-user credentials, supports WPA3 (including 6 GHz), and can dynamically assign devices to Firewalla Users within a single SSID (unlike personal keys, which are incompatible with WPA3 and 6 GHz).

Learn more about WPA Enterprise Wi-Fi (with RADIUS). 

To use enterprise security for Firewalla Wi-Fi:

1. From your box's main screen, tap Wi-Fi > Create Wi-Fi > set an SSID + password > Create (Note: the password at this point does not matter, as we will be updating it later.)
2. Tap into the SSID you just created > Edit (top right corner) > Security > choose an enterprise security 
3. Tap Save.

To connect to enterprise Wi-Fi, you must set up usernames and passwords for each User. 

Note:

• We currently support WPA2 Enterprise and WPA3 Enterprise. WPA2/WPA3 Enterprise is currently available to all Beta AP7 (AP7 Desktop: 0.1.114.1.9.54, AP7 Ceiling: 0.1.47.1.9.54). Prod version Access Points are coming soon. 
• Changing the security to Enterprise will remove all Microsegments (Primary and Additional) for the current SSID, as it uses the local RADIUS server (Firewalla) for authentication. 
• Role-based (e.g., guest, admin, employee) authentication is not yet supported. Once an enterprise Wi-Fi is created, any user can join using their credentials.
• Firewalla Enterprise Wi-Fi can only use its own local RADIUS Server (Firewalla). It cannot work with other 3rd-party servers.

2. Bridge Mode Support for Firewalla AP7

By popular demand from our community, Firewalla AP7 is now supported in bridge mode! You can now:

• Install AP7 with any Firewalla Gold or Purple series box in bridge mode. (For help installing AP7, see our AP7 Installation Guide.)
• Configure Firewalla Wi-Fi on bridge networks.

Note:

• Local Flows, VqLAN, and Device Isolation are not yet supported on boxes in bridge mode with AP7. They will be supported in the upcoming box update. 
• Switching between router and bridge mode will remove all SSIDs and local networks created for Wi-Fi, but will keep AP7 pairing.

3. Block Devices from Connecting to Specific AP7s

By popular demand, you can now block devices from connecting to specific Firewalla Access Points! This is especially useful when a device keeps roaming to a farther AP7 or when you have stationary IoT devices that should always stay connected to their closest Access Point. 

If you have more than one Firewalla AP7, to block devices from connecting to an AP7:

1. Navigate to the device's detail page. In the Wi-Fi details section, tap Access Point.
2. Tap Block Access Points and toggle it on.
3. Select the AP7s you'd like to block and tap Save.

Note:

• You can block the currently connected AP7, but your device may briefly disconnect.
• Choosing which AP to connect to is ultimately up to the device, not the AP. They can suggest connections, but devices may make their own roaming decisions. If devices connect to an unideal AP, but the performance and connections are good, there is likely no need to adjust anything.
• This type of "block" may not always work with all devices. 
• If all allowed AP7s are offline, the feature will automatically disable so the device can connect to any available AP7.

4. Adaptive DFS Selection

This feature is currently available to all Beta AP7 (AP7 Desktop: 0.1.114.1.9.54, AP7 Ceiling: 0.1.47.1.9.54). 

• To switch to the Access Point Early Access release, go to Wi-Fi -> Access Point, tap an Access Point -> Version, then tap "Beta". 
• Production Access Point releases are coming soon (Tentative date: Jan 15, 2026).

DFS channels can increase available channels for your devices, but are also shared with radar systems (e.g., for weather stations, airports, military bases) and can impact your network. 

Firewalla will now avoid DFS channels automatically if it detects radar interference using Adaptive DFS Selection, to help keep your network stable.

If your 5 GHz DFS Channels are enabled, Adaptive DFS Selection is enabled by default. To manage this setting, navigate to your Wi-Fi Settings page (box main screen > Wi-Fi > Wi-Fi Settings (top right corner)).

Learn more about Advanced Wi-Fi Settings with Firewalla AP7.

5. AP7 Backhaul Mode Selection

Firewalla AP7 supports both wired and wireless backhaul, and in this release, you can now select the Backhaul Mode to use. Using wired backhaul exclusively may be ideal if you'd like to ensure your Wi-Fi performance remains stable and fast via Ethernet.

To select the backhaul mode, navigate to your AP7's detail page, tap Connection Type > Backhaul Mode > select the mode:

• Automatic (default): Automatically uses wired backhaul when available; otherwise, falls back to wireless.
• Wired Only: Uses wired backhaul exclusively. If no wired Ethernet connection is detected, the Access Point will not attempt to connect wirelessly.

Note: This feature is only available to AP7 connected with an Ethernet cable. 

Learn more about Advanced Access Point Settings with Firewalla AP7.

New Box Features

1. Limited Mobile Access with Firewalla MSP

This feature is only available to Firewalla Boxes managed by Firewalla MSP.

In Firewalla MSP 2.9.0, we introduced a new feature for Mobile App Access Management. In this release, we now support Limited and No Access views on the Firewalla App.

1. Full Access (default): Full administrative control with access to all features and settings.
2. Limited: A simplified mobile app view for managing non-technical settings.
3. No Access: The device cannot view or control the box.

Limited only hides advanced settings. It does not fully block technical changes. Users who know where to look may still modify network rules or settings. We recommend assigning this level only to trusted users. 

Sign up for a free 3-month trial of MSP here: https://firewalla.net/plans

2. Configure IPv6 DNS Servers

In this release, you can now set IPv6 DNS servers for both WAN and LAN networks. We also separated IPv4 and IPv6 in Network Manager to make navigation clearer.

To update your IPv6 DNS servers, open your network in Network Manager and tap Edit in the top-right corner. In the IPv6 section, you can set your Primary and Secondary DNS servers.

Learn more about Firewalla Network Manager.

3. Mute Upload Alarms by Local Port

In this release, you can now mute a specific local port for Abnormal Upload and Large Upload Alarms! This is especially useful for those who host servers on specific ports of a device, but don't want to mute the alarms for the entire device.

To mute local ports,

1. From your box's main screen, tap Alarms > Alarm Settings (top right corner) > Abnormal Upload or Large Upload.
2. Tap Mute Setting > Add Port.
3. Enter the port number and protocol, then select the device(s). 

Learn more about Managing Alarms.

4. New Target List - NSFW AI List

Adult-focused AI chatbots are becoming more common, and we want to help prevent kids from accessing—or accidentally stumbling into—sites with sexual or otherwise inappropriate content. 

To support this, we’ve added a new NSFW AI target list. NSFW stands for Not Safe For Work, typically referring to adult material. The list can be used only to create blocking rules.

Learn more about Target Lists.

5. RADIUS - For 3rd-Party APs (Beta)

This feature is currently available to Firewalla Boxes in Router Mode and Early Access/Beta Box Release. It will NOT be available to production. 

If you don't have the AP7, but you have other APs that support enterprise Wi-Fi, Firewalla can now act as a local RADIUS server for 3rd-party APs!

To enable the RADIUS Server,

1. From your box's main screen, tap Services > RADIUS Server > toggle it on.
2. If your box is in Early Access release, you'll see Allow 3rd-party APs. Toggle it on, and the app will generate a shared secret to use. 

Devices connecting to Enterprise Wi-Fi will be prompted for a username and password. User credentials can be set up under Firewalla Users. 

• Note that the Server Address (IPv4) displays the first LAN IP address in your Network Manager. However, all LAN subnets will work as the RADIUS Server Address (excluding OpenVPN or WireGuard VPN subnets).

Learn more about Enterprise Wi-Fi and RADIUS.

6. App Migration (iOS only)

This feature will allow you to back up the unique App private key and restore that key to another phone. Use cases:

1. You've lost your phone; you can use this to restore access to all your Firewalla units.
2. You've migrated to a new phone, and the migration from iCloud failed; you can use this to restore access to all your Firewalla units.

This migration does NOT migrate the box configuration; this may be a future enhancement. 

To back up:

• Go to App Settings  → App Migration → Export App Data. 
• Set a Secure Code to protect the file, export it, and store it somewhere safe.

To restore:

• Go to App Settings → App Migration → Import App Data, choose the file, and enter the same Secure Code. Restart the app, and all your box pairings will come back instantly.

Notes

•  After importing, both apps stay in sync. If you add or remove a box on one phone, the changes also appear on the other. 
  • We highly recommend that you delete the Firewalla app on the old phone.
  • Do not reset the old app, or all box pairings will be lost on the new app as well.
• This feature is currently available on iOS only, but it’s built to work with Android as well. Cross-platform migration is coming soon.

Enhancements

We’re renaming FireAI to Firewalla AI (or Ask AI)

In App 1.65, we introduced Firewalla AI Assistant, or FireAI. Unfortunately, a very large tech company contacted us because the name "Fire" was too similar to one of their existing products and could cause confusion, and suggested us to change our name.

• The AP7 detail page now displays all IP addresses for VLANs with Wi-Fi configured and displays an error if it fails to obtain an IP address for a VLAN.
• Added a search bar to the app's main screen to quickly filter and find your Firewalla Boxes.
• Added Security Info to the device detail page for Wi-Fi devices connected to Firewalla AP7.
• New Device Alarms now redirect you to the new device detail page when tapped. 
• Added a View Details button in Alarms for quick access to the corresponding device detail page.
• Added a warning banner in Network Manager if Local Network or Bluetooth Permissions are disabled on the current device, since these are required to manage network settings.
• Added warning messages when the Wi-Fi name or password contains trailing spaces to avoid mistyping.
• Created a new Gold SE icon to display in the app.

• Updated for iOS 26’s new search bar and navigation style. The search bar and tabs on the Devices and Wi-Fi pages now sit at the bottom for quicker access. [iOS only]

  
  

Bug Fixes

• Fixed an issue where the AP would use a 320 MHz channel width when set to Channel 229, which may cause unstable connections. (Fixed in AP controller version 0.9.65)
• Fixed an issue where Family Protect rules were missing after migration. [iOS only, fixed in 1.67 (43) ]
• Fixed an issue where target lists were not sorted alphabetically by name. [iOS only, fixed in 1.67 (43) ]
• Fixed an inconsistency between the iOS and Android app on the Firewalla box’s device detail page.  [Fixed in iOS 1.67 (43) and Android 1.67 (49)]
• Fixed an issue where the Network Manager page could incorrectly display a “Required Access Disabled” banner. [iOS only, fixed in 1.67 (43) ]
• Fixed the issue where flows allowed by Device Active Protect may be diagnosed as “Blocked by Active Protect. [iOS only]
• Added support for App and Category details in Top Upload, Download, or Blocked Flow detail pages. [iOS only]
• Fixed the issue where, after pairing an Extended Warranty license with your Firewalla box, the success page may display "Access Point" instead of "Firewalla Box". This is a display issue only and does not affect the effectiveness of your EW license. [iOS only]
• Fixed the issue where certain Apps in the App List displayed a Beta label incorrectly.
• Fixed an issue where opening a Firewalla official document in the in-app browser could cause a loading loop. [Android only]
• Fixed an issue where device IP reservation incorrectly allowed reserving an IP already used by the gateway.
• Fixed an issue where blocking rules were incorrectly allowed to match the gateway IP.
• Other minor display issues and bug fixes.

Known Issues

• Issue: When devices connect to WPA2/WPA3 Enterprise Wi-Fi, the connection info on the Device Detail page may show “Security: WPA Enterprise.”
  • How to Fix: This will be fixed in the next AP release.
• Issue: Configuring IPv6 DNS server is not supported when the WAN connection type is PPPoE.
  • How to Fix: This will be fixed in a future box release.
• Issue: AP pairings cannot be migrated between Router Mode and Bridge Mode.
  • How to Fix: This will be fixed in a future app release. For now, you’ll need to manually reset the APs and pair them again after switching modes.
• Issue: In bridge mode, after migrating data from one box to another, the paired AP may not work as expected.
  • How to Fix: Restart the Access Point after migrating box data.
• Issue: Notifications for Porn Activity alarms may contain no description if the device that triggered the alarm belongs to a user. [Android Only]
  • How to Fix: This will be fixed in the next box release.