Confusing handling of UPnP

I've been playing with UPnP in an attempt to get at least some of https://help.firewalla.com/hc/en-us/community/posts/50107050146067-MQTT-Home-Assistant-support working.  I didn't actually know the Firewalla had a UPnP server until I saw it discussed on another forum because it's so well hidden, you need to go to Scan -> Port Forwarding -> Manage Port Forwarding and then you can find a UPnP option to enable.  Once you enable it and select a network to apply it to you can get (minimal) information from the Firewalla via UPnP.

None of this makes much sense.  What does enabling UPnP on the Firewalla have to do with network scans?  This should really be under Services because it's a service running on the Firewalla alongside other stuff like DNS, NTP, and RADIUS, and it would be nice to be able to apply it to specific devices rather than anything on the entire subnet.  In my case I only want Home Assistant to be able to mess with the UPnP stuff, not anyone on the network.

Finally, is there any documentation for how some of the entities that are exposed work?  My main motivation for wanting to play with it are to detect failover to the secondary WAN (see the post above), but there's only a generic "WAN status" with a boolean value, I can't tell whether the primary and/or secondary are up or down.