Possibility to mute only specific Security Activity Alerts?

Comments

16 comments

  • Avatar
    Firewalla

    see if this can help https://help.firewalla.com/hc/en-us/articles/360006083334-Manage-Alarms

    You also need to look at the root cause of the alarm, is the scan real? are they from the WAN side or the LAN side?

    0
    Comment actions Permalink
  • Avatar
    Alex

    The alarms are from the wan side. I attached two screenshots (btw: pushed notifications are broken, there is  one ip missing). I think the scans are from bots or other "attackers" and real, but "normal".

    The "scanning ip" is random, also my public wan ip changes every day (with pppoe)

    I tried the mute setting under the security activity alarm, but I cannot select firewalla as device. I believe I cannot configure it here.

    Regards

    Alex

     

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If the Gold is in router mode, and you are getting this, you have a bigger problem.

    1. did you remove the blocking incoming connection rule that's by default applied to all devices?

    2. do you have an allow rule that may give exceptions to certain regions?

    0
    Comment actions Permalink
  • Avatar
    Alex

    Yes my firewalla is in router mode. No, I have for all devices only block rules (and also the default blocking incoming connection rule)

    But I cannot follow you, why a port scan on my public wan ip is a problem? Every day the whole ipv4 internet is scanned by showdan and bot nets.. or do I misinterpret the message?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    1. tap on the monitoring button, and see what mode you are running. 

    2. is the 92.117.x.x IP address your WAN IP?

     

    0
    Comment actions Permalink
  • Avatar
    Alex

    1. Firewalla Mode -> Router Mode

    2. Yes, it's my wan ip .. checked it with https://whatismyipaddress.com/ and is displayed under Settings -> IP Address

    0
    Comment actions Permalink
  • Avatar
    Alex

    btw .. with the open ports scan from the app, I also receive an alarm notification ..

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Tap on the rules button

    Tap on all devices

    1. check if you have any block on "Traffic from internet"

    2. check if you have regional allow rules. (like USA). 

    0
    Comment actions Permalink
  • Avatar
    Alex

    Under all devices I have only block rules (no allow rules) .. the default block all traffic from internet is also active.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Alex, I have created a ticket for you on this. we may need more details. 

    0
    Comment actions Permalink
  • Avatar
    Alejandro Sánchez Márquez

    Hello!

    I have kind of the similar scenario. Starting 2 weeks ago or so I started receiving dozens of messages daily, I think it might have started at the same time the device or app got upgraded.

    I have nothing opened from WAN to LAN. This is the setting for Rules > All devices

    And then I also have 4 ports allowed on this specific device. These are for a game server and I trust those IPs, and I only activate the policy when needed.

    I have been discarding those scan alerts for a while after figuring out that they did not seem to pose a risk.

    In the Alerts section within the app, you can configure it to except one or more device/s/network/s but there is no entry for the WAN interfaces, could you add them to be eligible?

    Any help would be appreciated.

    Regards.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The scan's likely detected towards a device. Can you tap the alarm? the DMS forwarding you have likely just the destination. 

    0
    Comment actions Permalink
  • Avatar
    Alejandro Sánchez Márquez

    DMS? The device affected pertains to a group named Dmz but it is not the DMZ itself.

    The alarm only shows origin and destination IPs.

    0
    Comment actions Permalink
  • Avatar
    Alejandro Sánchez Márquez

    Hello team,

    This is one of the alarms:

    I do not want by any means to mute the alarms related to Security, while I can't stand having to delete dozens of alarms daily either. Actual alarm count for around 12 days.

    I lowered the security alarm sensitivity, to no effect. I also muted the port scans for that only device which has 3 ports opened.

    I would kindly ask you to either create an entry to be able to mute the port scans for the WAN interface which is currently not listed, or at least (maybe both) to separate the port scans under an individual category so that it can be muted at all if needed while preserving the other security alarms.

    Thanks in advance!

     

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Can you paste the alarm here? (not the flow). We can take a look

    0
    Comment actions Permalink
  • Avatar
    Alejandro Sánchez Márquez

    Sure!

    And some recent flows for it. The port scan is against the WAN interface (my F Purple is set past a bridged router).

    Thanks.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.