Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Misunderstanding Firewalla Functionality...?

Follow
Avatar
Derek and Kathy Fulghum

Hi all,

I have a couple of questions concerning how I thought Firewalla would respond as opposed to how it actually does respond (and where my misunderstanding starts):

First, as part of my monthly cyber-hygiene, I run a simple scan of my internal network using nmap.  I usually do it from a VM running Windows 7, which is on my internal network segment, but isolated from the internet.  The purpose of the scan has been to monitor the appearance/disappearance of any unknown ports, so while the scan is limited by no internet access (specifically DNS resolution), it has served its purpose.  The thing is, I would have expected it to trigger the Firewalla to light up like a Christmas tree, yelling "PORT SCAN!  PORT SCAN!"  It was silent however (even though the software firewalls on the various hosts in the subnet all reflected the scan).  Then, I tried the same thing from a Kali Linux VM (which HAS internet access), and this time the Firewalla spat out a security alert for the port scan.  What am I missing?

Second, I have had the "Family Protect" thing active since day one, and I never gave it a second thought after seeing the stuff it blocks, including all VPN sites.  And yet I am able to connect to the Norton 360 VPN servers with no issue.  Is it because I am the one initiating the connection from inside that the VPN tunnel is allowed to form?  I would have thought that Firewalla would take one look at the destination (the Norton 360 VPN server) and shut it down.  Again, where am I all wet?

Thanks!

Mongo

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Bob O'Hara

    I will let someone more knowledgeable on Family Protect answer your second query. However, your first question depends entirely on how your network is connected to the Firewalla. For FW to alarm it must see the traffic triggering the alarm.

    If your machine with the VM is on the far side of a switch or an AP from the FW, any of the traffic to other devices also connected through the switch or AP will very likely be forwarded directly at layer 2 (Ethernet or WLAN) internal to the switch or AP. This includes traffic between devices on the same VLAN. Only if the traffic needs to be switched between VLANs, routed between segments, or switched between parts of the same VLAN that appear on different ports of the FW, will the FW be able to see the port scan traffic.

    I hope this helps to better understand what you are seeing.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The VPN blocks depend on the service. Some services will pretend to be https, in that case, it is impossible for firewalla to detect it inline, and can only use the "end point" to block it.  

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post