WAN logs, portscans, DOS attacks, any of that?

Comments

35 comments

  • Avatar
    Firewalla

    Do you mean hits against the router?  we can certainly expose some of that in the future if we get more +1 to this post :).  Most people don't care ... 

    10
    Comment actions Permalink
  • Avatar
    Firewalla

    Ack will see if the upcoming 1.972 can show this data.  Watch our postings, once we have something, we are likely to ask for early access testers.

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    1.972 will have the code to capture blocks and likely app 1.45 will have the UI to display them.  If 1.45 is slow, we can add blocks to web first.

    2
    Comment actions Permalink
  • Avatar
    Andy brown

    A definite +1 from me

    I would love to know if I get any hits against the router.

    1
    Comment actions Permalink
  • Avatar
    Ian

    +1

    1
    Comment actions Permalink
  • Avatar
    Lestrod Gould

    +1

    1
    Comment actions Permalink
  • Avatar
    Dave Kellermanns

    +1

    1
    Comment actions Permalink
  • Avatar
    Jef

    Do we reply +1 or use the voting feature? :)

    I came looking for just this. I was just sshing to the FWG and was looking to see the log streams if the data was there. It would be great to have a WAN view of traffic attempting connections inbound, scans, etc.

    1
    Comment actions Permalink
  • Avatar
    Martins

    +1 ! I'm really interested in this because after I setup my Xfinity gateway in Bridge mode to hookup my Firewalla Gold, I notice that I'm having some "package loss".

    Before I setup the ISP gateway in Bridge mode, it's firewall was slammed every day by such "attacks" with thousands of attempts just by analyzing it's logs...

    Now in Bridge mode seems that the gateway firewall is disabled, and I have no alerts from Firewalla at all.

    I still investigating this issue, I also have installed a cable signal amplifier just to make sure my gateway is getting the best signal, but I still facing package loss...

    For example if I ping the google DNS 8.8.8.8 some times I get 10%/15%  of loss!

    1
    Comment actions Permalink
  • Avatar
    Richard Poeling

    This is one of the main reasons why I was looking for a product like Firewalla Gold.  I thought it would provide logs on who is trying to hit my systems.  I have to have a handful of computers available on the Internet and have limited the open ports to just what I need, but without any kind of inbound traffic logging, I have no way to know who all is trying to gain access that shouldn't be.  Please add this feature, as it's sorely missing.  

     

    1
    Comment actions Permalink
  • Avatar
    Miguel Hummel

    +1 for a WAN threat dashboard maybe through the web UI, more logging for IDS events such as when something is blocked by your threat intel, and longer network logs (maybe support logging to an external drive through the UI) and please please syslog support

    also maybe making a section to see resource usage (like storage, if we want to extend log storage we know how much space we might get)

    1
    Comment actions Permalink
  • Avatar
    mastadon extinction

    Firewalla, The problem is we just get an alert "blocked malicious connection" but no further info except ip address etc. It would be nice if we could have the function to send blocked packet info/logs or pcaps to another server for analysis. I understand thats prob a little beyond what most consumers want. I do notice i get some zmap scans picked up by my security onion running suricata that make it past the firewalla. This is why it would be helpful to have those logs so i can see if the firewalla blocked any additional traffic from those ip's 

    1
    Comment actions Permalink
  • Avatar
    Steve Vogel

    @FW Team: do you anticipate that in 1.972?

    @mastadon extinction: what kind of “ security onion” did you set up, and how?

    Thanks.

    1
    Comment actions Permalink
  • Avatar
    Brian Shimkus

    +1

    In a business setting, I’d find this valuable. With more visibility, could come more piece of mind.

    In a home/consumer setting, I’d find this interesting and extracting the data to visualize threats would be great!

    0
    Comment actions Permalink
  • Avatar
    Steven Vogel

    +1 here too

    0
    Comment actions Permalink
  • Avatar
    David Osborne

    You said you installed a cable signal amplifier. Is it unidirectional, or bi-directional? What kind of power values are you seeing on your gateway's stats page? Uncorrectable/correctable code words, etc?

    Most cable amplifiers aren't really meant for modern cable modems, especially if they don't cover the full frequency range the modem expects to receive. They're typically configured for cable set-top boxes. Also, if it's unidirectional (and pointed towards your gateway), it could affect your upload strength, or provide too much power and cause more loss. 

    0
    Comment actions Permalink
  • Avatar
    John A. Quinn

    +1

    0
    Comment actions Permalink
  • Avatar
    Martins

    @David Osborne, It's bi-directional and it's for this purpose because the 1st one I bought it was just for the TV signal, and I spoke with the seller, and he indicated the one I have now !

    Form Downstream the SNR is about 38.983 dB on all channels and the Power Level of 1.400 dBmV on almost channels and couple if the minimum of 0.700 dBmV.

    For Upstream the Power Level is 42.750 dBmV for all of 3 channels.

    The Correctable Codewords: between 12 to 65 on all channels.

    And the Uncorrectable Codewords is 0 (zero) for all the channels now.

    But the problem was with my 20 bucks switch....

     

    0
    Comment actions Permalink
  • Avatar
    Gerard

    +1

     

    I was hoping that in the near future, the Web Dashboard would be able to display more than just 'Outbound' connections. It would be nice to see all traffic Inbound/Outbound and Internal with port numbers, also blocked traffic.

    0
    Comment actions Permalink
  • Avatar
    Nicky Bangcola

    +1

    Would be nice to have that.

    0
    Comment actions Permalink
  • Avatar
    RDubbs

    +1

    Definitely accustomed to having this on other firewalls and would be a great WAN "Threat" dashboard to have.

    0
    Comment actions Permalink
  • Avatar
    Hoby Brenner

    +1 Syslog support?

    0
    Comment actions Permalink
  • Avatar
    Hector

    +1

    0
    Comment actions Permalink
  • Avatar
    mastadon extinction

    Id be very interested in that. Right now I have a security onion sniffing all traffic to and from the firewalla from my lan. Id love a threat/malicious actions dashboard so I can compare ips that made it through that got flagged by security onion vs those that got insta blocked

    0
    Comment actions Permalink
  • Avatar
    David Osborne

    What I've noticed since originally opening this thread is that the only time I get "Active Protect" alerts is when I have some service/port open to the internet, and a malicious IP attempts to hit it. The best example was running a NextCloud server, I got so many alerts I just gave up and muted them. It'd be cleaner if there was a dashboard to manage those statistics, though.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @David, we will be building stats and also blocked logging soon, hopefully, that will make things cleaner.

    If you are getting flows into your server, you probably want to better control it.  (either through VPN or control who can access that server from outside).   It is pretty risky if you are getting too many alerts on that.

    0
    Comment actions Permalink
  • Avatar
    mastadon extinction

    Steve.

    I have a security onion 2.3 virtual machine with its own dedicated nic in promiscuous mode sniffing all traffic leaving and entering my lan switch to firewalla port. I mirrored that port to another which the security onion nic is connected to.

    Google security onion 2.3 .

    0
    Comment actions Permalink
  • Avatar
    networker5

    It will be very useful to actually see what firewalla is doing and what sort of threats, hackers are targeting me. Honestly I would have expected this to be job number one of the firewall... And some sort of packet logging even if that can be viewed on my desktop or another device. I recently got the gold and trying to make sure I bought the right thing:)

    0
    Comment actions Permalink
  • Avatar
    mastadon extinction

    @firewalla.

    Not even joking. I'm very happy to hear this.

    If you guys set this up and set up ability to do multiple VPN profile connections simultaneously in the app , I plan on buying a firewalla gold for each of my inlaws over the year after that feature gets pushed. I'm talking 5+ firewalla golds. Thanks for being responsive to customer wishes.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @mastadon, VPN server or VPN client?

    0
    Comment actions Permalink

Please sign in to leave a comment.