Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

Handling Specific Firewalla Alarms (draft)

Avatar
Firewalla CM
  • Updated
Follow

Firewalla raises Alarms whenever it detects certain activities, such as possible cyberattacks, abnormal activity, device online activity, and more. But once you receive an Alarm, what should you do with it? 

In this article, we’ll discuss how to handle certain Alarm types and what you should do.

 

 

General Tips

In general, you should always tap into the Alarm to see more details about the source, destination, and the type of activity that occurred.

If you need help identifying or understanding a destination, you should use our Security Info Lookup and Alarm Feedback tools.

 

Security Info Lookup

If you want to learn more about the website or the IP address your device is communicating with, you can choose to look up more security info about the destination/source on a 3rd-party website.

Tap on the domain or IP address of the destination, then tap Security Info Lookup.

Firewalla Example Alarm Notification security info lookup

 

Alarm Feedback

The Internet is very dynamic. There's a possibility that Firewalla may misclassify flows from time to time. If you believe that an alarm has been categorized incorrectly, you can provide feedback directly.

Tap the "..." on the top right corner of an alarm, then tap Provide feedback.  

 

Specific Tips

Need more specific guidance? Here are some guides for handling specific Alarm Types:

 

Port Scan Activity

Firewalla detected port scans on your network. This could be an external device scanning your network, or a legitimate service or device testing open ports inside your network.

 

STEP 1: Check the source

Check if it’s an outside-to-inside or an inside-to-inside scan. Tap into the alarm details and check the source. 

If it’s a source from outside your network, continue to Step 2.

If it’s a device inside your network:

  • Check if you have an antivirus software installed on your device. If you do, check the test history and see if it matches the time of your alarm. 
  • If you are running another Firewalla inside your network, check the Vulnerability Scan feature.
  • If you trust the device and recognize the activity, you can Archive or Mute the alarm. 
  • If you don’t recognize the activity:
    • With Firewalla AP7 or Firewalla Orange Wi-Fi LAN, enable Device Isolation on the device.
    • If you don’t have Firewalla Wi-Fi, you can manually place the device on a segmented network and apply a rule to block traffic to & from local networks. 
    • Continue to Step 5.

 

STEP 2: Check the External Open Port Scan

Check if any open ports can be reached from the Internet with our built-in External Open Port Scan. From your box’s main screen, tap Scan Scan Open Ports

If there are open ports:

  • Identify who opened the port and why. The port may be opened by your upstream router, devices in your network via UPnP, or your own manual configurations. 
  • Refer to our External Open Port Scan for how to handle these open ports. 

 

STEP 3: Check your port forwarding or UPnP

Check if you have Port Forwarding or UPnP enabled. From your box’s main screen, tap Network  → NAT SettingsPort Forwarding.

If UPnP is enabled:

If you have Port Forwarding rules:

We strongly recommend using Firewalla’s VPN Server instead of exposing ports directly to the internet.

 

STEP 4: Check the Ingress Firewall

If you’re in Router Mode, make sure the Ingress Firewall is turned on. The Ingress Firewall blocks unwanted traffic from the Internet into your network.

From your box’s main screen, tap RulesAll DevicesIngress Firewall.

 

STEP 5: Check for related SSH Password Guessing Alarms

Check if you have any SSH Password Guessing Alarms for the same source device or IP around the same time as the Port Scan Alarm.

If there are no related SSH Alarms: 

  • This is likely just common Internet activity. 
  • Attackers constantly scan for open ports, and Firewalla cannot prevent them from attempting to scan. 
  • As long as the Ingress Firewall is enabled and you do not have open ports, Firewalla will block these attempts from reaching your internal network.

If there are SSH Alarms: 

  • This could be a more serious situation. In this case, we recommend that you:
    • Disable SSH Access on your WAN interface if it was ever enabled. 
    • Change SSH and other credentials on the destination device and review logs for any successful logins.
    • With Firewalla Wi-Fi (via Firewalla AP7 or Firewalla Orange), enable Device Isolation on the source and destination devices (if inside your network).
    • If you don’t have Firewalla Wi-Fi, you can manually place the devices on a segmented network and apply a rule to block traffic to & from local networks. 

 

SSH Password Guessing

Firewalla detected multiple login attempts to an SSH service (port 22) on a device in your network. This usually indicates that someone is attempting to guess SSH credentials. This activity may come from an external source on the internet or from a device inside your network.

 

STEP 1: Check the source

Check if the device is attempting SSH from outside or inside your network. Tap into the alarm details and check the source. 

If it’s a source from outside your network, continue to Step 2.

If it’s a device inside your network:

  • Check if you have an antivirus software installed on your device. If you do, check the test history and see if it matches the time of your alarm. 
  • If you are running another Firewalla inside your network, check the Vulnerability Scan feature.
  • If you trust the device and recognize the activity, you can Archive or Mute the alarm. 
  • If you don’t recognize the activity, continue to Step 2. 

 

STEP 2: Close your Firewalla SSH

Most times, if you’re receiving SSH Password Guessing alarms, this means your Firewalla SSH Console is open to the WAN or LAN interface. 

Close your SSH Console if you don’t use it:

  • From your Firewalla’s main screen → tap Settings (top right corner) → Advanced ConfigurationsSSH Console
  • Toggle off the SSH Console on your LAN and/or WAN interfaces.

 

STEP 3: Check your port forwarding or UPnP

Check if the SSH exposure is caused by Port Forwarding or UPnP on your Firewalla Box. From your box’s main screen, tap Network  → NAT SettingsPort Forwarding.

If UPnP is enabled:

If you have Port Forwarding rules for SSH (Port 22):

We strongly recommend using Firewalla’s VPN Server instead of exposing SSH directly to the internet.

 

STEP 4: Check the Ingress Firewall

If you’re in Router Mode, make sure the Ingress Firewall is turned on. The Ingress Firewall blocks unwanted traffic from the Internet into your network. 

You can check by tapping Rules (from your box main screen) → All DevicesIngress Firewall.

 

Malware Activity / Security Activity

Firewalla detected your device accessing a known malicious site. Firewalla will notify you of the activity, and depending on the severity and reputation, Firewalla may block the flow on its own. 

Firewalla security notifications are based on the reputation of the site. Site reputations are not clearly good or bad; they may vary depending on the event that occurred, when it happened, and many other factors. Due to this, Firewalla might not auto-block certain sites and may just generate an alarm.

You can tune how often these alarms are triggered by changing the Default Active Protect Engine to Strict Mode.

 

STEP 1: Was the flow blocked?

Sometimes, Firewalla will automatically block traffic flows if it knows the site is definitely malicious or malware. 

If the site was blocked, there’s no need to do anything extra. 

If the site was not blocked, continue to Step 2.

 

STEP 2: Check the Security Info Lookup

Use our built-in Security Info Lookup tool to learn more about the site your device is accessing. 

If you recognize the site, site owner, or trust the site, you can Archive or Mute the alarm.

If you don’t recognize or trust the site, tap Block on the Alarm to block the site in the future. 

  • It is always better to block unknown sites and unblock them later if it causes issues with your trusted services.
  • You can also try using Regional Filtering and block your devices from accessing that region completely.

 

STEP 3: Enable Active Protect Strict Mode

Firewalla’s built-in Active Protect is an IPS/IDS engine based on reputation. If you’d like Firewalla to block more sites by default instead of just raising an Alarm, consider enabling Strict Mode.

From your Firewalla’s Main Screen > tap Protect > Active Protect > under Default Engine, tap Mode > select Strict

Note that Strict Mode may raise more false positives due to its higher blocking probability.

 

Abnormal Upload / Large Upload

Firewalla detected your device uploading data to a site, which may be abnormal or larger than usual. This usually indicates actual file uploads or data syncing to the cloud.

 

STEP 1: Ask Firewalla AI

Firewalla has a built-in AI Assistant that can help you understand any alarms that may be unusual. Firewalla AI can help analyze the domain and suggest some self-diagnosis steps to take.

From the Alarms page, tap the AI button on the top right of the Alarm. Alternatively, you can tap into the Alarm and tap Ask AI about this alarm

If you don’t want to use Firewalla AI, you can follow our general tips in Step 2.

 

STEP 2: General tips to try

In general, you should check:

  • The data transfer time. If any known events triggered the alarm around that time (e.g., your smart doorbell sends you an alert, then Firewalla sends you an Upload Alarm), the upload is likely legit. 
    • Note that the alarm-generated time may be a bit behind the data transfer time due to the process of gathering and analyzing the behavioral pattern. 
  • The destination. If the destination is related to the device itself (e.g., your Google device uploading to Google), the upload is likely legit. 
  • The data transferred. If the device uploads a reasonable amount of data (e.g., a few megabytes of data) to a known destination, the upload is likely legit.

For a full, detailed tutorial, check out our Abnormal Upload Alarms Tutorial

 

STEP 3: Adjust the Alarm Sensitivity or Threshold

If you’re receiving too many Upload Alarms, you can adjust the Alarm Sensitivity (for Abnormal Upload) and Alarm Threshold (for Large Upload).

Tap the Alarm Settings icon in the top right corner of the Alarms page.

  • For Abnormal Upload: Set the “Alarm Sensitivity” to Low.
  • For Large Upload: Set the “Alarm Threshold ” to your desired amount in MB.

 

STEP 4: Configure Mute Settings for legit traffic

If you know that your device is uploading legit traffic, but you’d like to stop receiving Upload Alarms for them completely, you can mute them to stop receiving alarms about similar activities in the future.

  • Tap Mute directly from the Alarm or Alarm Detail. You can adjust the target and device to mute.
  • For more specific Mute Settings, you can choose to mute specific ports, devices, target lists, or destinations. 
    • Go to your Alarms page → tap Alarm Settings (top right corner) → select Abnormal Upload or Large UploadMute Settings.

 

Open Port

Firewalla detected ports being opened by a UPnP protocol. Some devices will open ports via UPnP as part of their function, but can accept connections from outside, possibly allowing malicious entities to enter your network.

 

STEP 1: Do you recognize the service that opened the port?

Most services will close the open port when they’re done, but some services might open ports permanently.

  • If you trust the service and recognize the activity, you can Archive or Mute the alarm.
  • If you don’t recognize or trust the service and/or activity, continue to Step 2.

For a full, detailed tutorial, see How do I Handle Open Port Alarms?

 

STEP 2: Block unrecognized Open Ports

If you don’t recognize the Open Port, you should block the flow.

From the Alarm page, or from the Alarm Detail, tap Block to automatically create a rule to block inbound traffic to that local port. 

 

STEP 3: Check your UPnP settings

If you continue to get Open Port alarms, check if you have UPnP enabled. From your box’s main screen, tap Network  → NAT SettingsPort Forwarding.

If UPnP is enabled:

We strongly recommend using Firewalla’s VPN Server instead of exposing ports directly to the internet. 

If you absolutely need an open port, set up secure port forwarding instead, and limit ingress access to specific regions or IPs.

 

Firewalla MSP Generated Alarms

Firewalla MSP’s MSP Active Protect can leverage extended data visibility (up to 30 or 180 days of flow history) to help analyze your network’s behavior. 

With Advanced Behavioral Alarm, Firewalla MSP can generate new alarms and identify anomalies, such as devices accessing sites outside of their typical behavior patterns. 

 

STEP 1: Check the Security Info Lookup

Use our built-in Security Info Lookup tool to learn more about the site your device is accessing. 

  • If you recognize the site, site owner, or trust the site, you can Archive or Mute the alarm.
  • If you don’t recognize or trust the site, tap Block on the Alarm to block the site in the future. It is always better to block unknown sites and unblock them later if it causes issues with your trusted services.

 

STEP 2: General tips to try

In general, you should check:

  • The data transfer time. If any known events triggered the alarm around that time (e.g., your smart doorbell sends you an alert, then Firewalla sends you an Upload Alarm), the upload is likely legit. 
    • Note that the alarm-generated time may be a bit behind the data transfer time due to the process of gathering and analyzing the behavioral pattern. 
  • The destination. If the destination is related to the device itself (e.g., your Google device uploading to Google), the upload is likely legit. 
  • The data transferred. If the device uploads a reasonable amount of data (e.g., a few megabytes of data) to a known destination, the upload is likely legit.

For a full, detailed tutorial, check out our Abnormal Upload Alarms Tutorial

 

Related articles

Comments

0 comments

Please sign in to leave a comment.