Firewalla Feature: Control Manager

(This feature requires App 1.69. See the full release notes here. On earlier app versions, you can still configure all of these protections manually via Rules or via the Family button.)

Firewalla offers many different options for securing your network. Firewalla Controls doesn't add new protections; it bundles existing Firewalla features into one screen so you can enable them with a single tap instead of building rules manually. 

On App 1.69 or later, on your Firewalla's main screen, tap Controls. You'll see five main features:

1. Advanced Threat Filtering
2. Region Blocking
3. Bypass Prevention
4. Content Filtering
5. Safe Search

1. Advanced Threat Filtering

Advanced Threat Filtering can quickly block traffic to and from potentially dangerous sites. This includes traffic that devices on your network may accidentally access, including phishing or malicious sites.

Advanced Threat Filtering will be applied to all devices. To apply it to only some devices, use manual Rules instead.

1. Lookalike/Punycode Domains
2. Newly Registered Domains

1.1. Lookalike/Punycode Domains

(Requires Box 1.983 or later. See the full release notes here.)

Lookalike/Punycode Domains is a Target List that can block domains using non-English characters, which are typically used to represent characters in other languages in domain names.

• For example, a domain like firewαllα.com using a Greek 'alpha' (α) will be encoded as xn--firewll-5lfc.com.

These can sometimes be used to impersonate legitimate sites (also known as IDN Homograph Attacks), but they may block legitimate non-English sites.

Note: 

• This does NOT include domains that use valid English characters to impersonate sites, such as firewaIIa.com, using a capital 'i' instead of an 'L'.
• This Target List will also block trusted website domain names that do NOT use English.

1.2. Newly Registered Domains

Newly Registered Domains (NRDs) is a Target List that contains domains that have been newly registered in the past 14 days. 

It's a common security practice to block NRDs, as they can sometimes be used for phishing, malware, tracking, or other malicious activities. 

Advantages of blocking NRDs:

1. Stop phishing and scam campaigns. Attackers often register domains before launching scam attacks. Blocking NRDs can stop these scams before they reach you.
2. Avoid accidental visits to fake sites. Some NRDs mimic legitimate domains using typos or similar-looking characters (like a "zero" instead of an "O"). Blocking NRDs can reduce accidental visits to these fake sites.
3. Prevent command-and-control (C2) communication. Many malware infections rely on NRDs to communicate with remote servers. Blocking NRDs can stop infected devices from sending data or receiving commands.

However, there are some disadvantages of blocking NRD:

1. Legitimate new services may be blocked. New startups, product launches, or marketing campaigns may be incorrectly blocked if they use a newly registered domain.
2. Not all bad sites can be blocked. Blocking NRDs won't stop attacks that use older, compromised domains with good reputations.

2. Region Blocking

By default, Firewalla's built-in ingress firewall blocks all incoming traffic, so you never have to worry about unwanted traffic coming into your network. But if you want to control which regions your network can access (e.g., outgoing or egress traffic), you can use Region Blocking.

Region Blocking will be applied to all devices. To apply it to only some devices, use manual Rules instead.

Learn more about manual Regional Filtering here. 

Note:

• If you have manually created block rules for Regions on all devices, they will be displayed under Region Blocking.
• Purple, Purple SE, and Orange boxes have a 10-region limit across all rules (allow, block, Smart Queue, and Routes). Gold series boxes have no limit.
• WARNING: regional blocking may not always be accurate. The more countries you block, the more likely you are to run into a false positive. (false block, and causing trouble) 

3. Bypass Prevention

Firewalla can only apply protections to devices that Firewalla can track. Some devices may try to get around policies by using VPNs, DoH services, or private relays. Bypass Prevention can stop devices from evading your filters.

Bypass Prevention can be applied to selected devices.

In general, it is a good practice to enable "bypass" prevention on your LAN network and use DoH (or VPN) to encrypt DNS & data traffic in the firewalla. This will give your firewalla maximized visibility and also protection.

(Note: In App 1.68 or earlier, this feature is part of 'Family Protect'.)

4. Content Filtering

Content Filtering automatically blocks access to sites with offensive or unwanted content. We offer two different Content Filtering modes:

• Native: This mode leverages Firewalla's blocking features to give you full control over what to block right on the Firewalla box. When you turn on Native Content Filtering, a set of default blocks will be automatically configured for you.
• 3rd-Party: This mode uses 3rd-party DNS services to filter content. Since this is a DNS service, it cannot be used with other DNS services, such as Unbound or DoH. 

Content Filtering can be applied to selected devices. To learn more about Content Filtering, consult the Family Protect article.

(Note: In App 1.68 or earlier, this feature is part of 'Family Protect'.)

5. Safe Search

Safe Search automatically filters out offensive content in search results. It supports the most common search engines, including Google, YouTube, Bing, and DuckDuckGo. 

With Safe Search enabled, it'll also enable YouTube's Restricted Mode, which will hide mature content, including comments on YouTube videos.

We do NOT recommend this for work. Safe search can limit a lot more useful sites. 

Learn more about safe search here.