Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

"Abnormal Upload" Algorithm Issues

Follow
Avatar
RDubbs

Love my firewalla gold, but it creates an excess of Abnormal Upload alerts that are not abnormal.  Legitimate abnormal or other alerts thus get buried and not observed quick enough.  

For example, I have many devices/services that upload a few megabytes several times a day... which is normal.  But every time they do, it generates an alert.  Cameras, IP phones, PLEX server, NAS, and IoT Devices are the majority of them.

The Abnormal Upload alert is useful for knowing actual "Abnormal" patterns, such as devices that only upload traffic a few times a week/month, large amounts of data, or haven't really uploaded any data as they're new and traffic patterns haven't been learned.

I'm curious how the algorithm really works, and how it can be tweaked in the future to eliminate false-positive alerts.  I do like the feature, so I do not want to globally disable.  Would help in the short-term if we're able to mute abnormal upload alerts per-device.  The outbound domain-level mute is helpful, but there are often GCP/AWS services that are IP-only (no PTR records).

4

Comments

17 comments

Sort by Date Votes
  • Avatar
    Firewalla

    This document may have some information https://help.firewalla.com/hc/en-us/articles/360020926913-Abnormal-Upload-Alarms-Tutorial

    Muting the alarm will definitely help.  The algorithm behind is learning-based so it is one of those things may have a mind of its own. 

    0
    Comment actions Permalink
  • Avatar
    RDubbs

    I had already looked at that article, but thanks for sending.  It's quite vague and doesn't really cover the touch points above.

    Muting each alarm does nothing.  In the 5 months I've had the FWG, it has not learned any device upload characteristics and just repeats the alerts daily.

    I'll mute all abnormal upload notifications for now until it's more mature and/or device-level muting is enabled.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The current algorithm is not perfect for sure, it does have problems adapting to devices that randomize over a huge set of IP addresses.  We have a task for 1.973 to make it better.  hopefully, there will be a lesser noise.  

    0
    Comment actions Permalink
  • Avatar
    Brad

    Would it make sense to add a button that is basically "This is Normal" so that the user could better train the algorithm?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    "Mute" will give the system feedback.

    0
    Comment actions Permalink
  • Avatar
    RDubbs

    @firewalla it doesn't appear the algorithm processes that feedback given the daily mutes for the same traffic and devices I've gone through for months.

    Hoping for improvement in 1.973

    0
    Comment actions Permalink
  • Avatar
    Daniel

    I cannot really see any improvement on this in 1.973

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Daniel, can you give us an example? We constantly tune the algorithms, since some of things are "smart", it may or may not show the difference for all the different networks. 

    0
    Comment actions Permalink
  • Avatar
    Daniel

    For example my NAS upload backups each night at the same time.
    I always get abnormal alerts for that.

    0
    Comment actions Permalink
  • Avatar
    Daniel

    Also regular uploads to icloud-content.com.

    Actually never seen anything abnormal

    0
    Comment actions Permalink
  • Avatar
    Daniel

    Any further updates on this?

    0
    Comment actions Permalink
  • Avatar
    vgpardue

    Would anyone else find it useful to mute abnormal uploads for a group, rather than all devices? It’s normal for my Ring devices to upload to ps.ring.com, but not for other devices.

    0
    Comment actions Permalink
  • Avatar
    Bill Greenberg

    I know this is an older thread but it's still a problem. What I really want to be able to do is tune abnormal uploads to just larger uploads. I don't usually care about a few megabytes, but a few hundred MB is a different story. I don't want to mute most domains or IPs. I just need to mute everything below, say, 100MB.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The abnormal upload is behavioral instead of just having a limit. I do know in 1.51, we start tunning this, give it a try https://help.firewalla.com/hc/en-us/articles/7367027330195-App-Release-1-51

    0
    Comment actions Permalink
  • Avatar
    Bill Greenberg

    Yes, I've been playing around with it but it still isn't quite what I'm looking for. I'd love the behavior to take into account the amount of data as I mentioned. At the moment "low" is still producing too many alerts that just aren't useful to me. But I can't mute most of the host or IP addresses. I just really care about LARGE amounts of data being uploaded, possibly indicating data exfiltration in a ransomware attack.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Let me see if we can just build a large upload alarm, it is much easier than the behavior alarms. 

    0
    Comment actions Permalink
  • Avatar
    Bill Greenberg

    That would be interesting! Thanks!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post