firewalla scan feature

Follow

ridwan

• April 20, 2026 04:08
• Edited

is the scan feature in firewalla really aggressive?

i watch log on my database, firewalla ip address xxx tries to login using generic users to my database from one sample it was 1737 times a minute.
rotating only these users:

2026-04-11  9:14:27 133185 [Warning] Access denied for user 'root'@'xxx' (using password: YES)
2026-04-11  9:14:27 133184 [Warning] Access denied for user 'admin'@'xxx' (using password: YES)
2026-04-11  9:14:27 133186 [Warning] Access denied for user 'administrator'@'xxx' (using password: YES)
2026-04-11  9:14:27 133187 [Warning] Access denied for user 'webadmin'@'xxx' (using password: YES)
2026-04-11  9:14:27 133188 [Warning] Access denied for user 'sysadmin'@'xxx' (using password: YES)
2026-04-11  9:14:27 133193 [Warning] Access denied for user 'test'@'xxx' (using password: YES)
2026-04-11  9:14:27 133190 [Warning] Access denied for user 'guest'@'xxx' (using password: YES)
2026-04-11  9:14:27 133191 [Warning] Access denied for user 'user'@'xxx' (using password: YES)
2026-04-11  9:14:27 133192 [Warning] Access denied for user 'web'@'xxx' (using password: YES)
2026-04-11  9:14:27 133189 [Warning] Access denied for user 'netadmin'@'xxx' (using password: YES)
2026-04-11  9:14:27 133198 [Warning] Access denied for user 'admin'@'xxx' (using password: NO)
2026-04-11  9:14:27 133195 [Warning] Access denied for user 'webadmin'@'xxx' (using password: NO)

and so on
i still want to turn on the scan mode since it useful to check my devices, but can we turn the aggresiveness, or on the device already checked, it will stop for a day, start check it again the next day?

0

• 

  FirewallaSupportDesk

  • April 20, 2026 04:23

  Are you using System Vulnerability Scan? This Scan can be scheduled once a week at your chosen time. 

  0

  Comment actions Permalink
• 

  ridwan

  • April 20, 2026 04:31

  yes, i turn the automatic scan on, every saturday at zero hour.

  but my database log says differ, is it a rouge bruteforce attempt or from firewalla itself?
  since i didn't open the port from public ip address. 

  0

  Comment actions Permalink
• 

  Firewalla

  • April 20, 2026 16:16

  A vulnerability scan is performed on your LAN, not your WAN. Explained here https://help.firewalla.com/hc/en-us/articles/115004274513-Firewalla-Feature-Guide-Scan#h_01HTZXFV73HTYH26S1JZVDC00P

  Yes, it will try many different type of passwords etc ..

   

  0

  Comment actions Permalink
• 

  ridwan

  • April 28, 2026 03:39

  yes i know that,  the problem is not the vulnerability scan itself, i want it to run periodically. it just according to my database log, the lan ip address of firewalla continue to try to login, over one thousand attempts a minute, continuously looping.

  0

  Comment actions Permalink
• 

  Firewalla

  • April 28, 2026 03:47

  All the tests in the scan are different; the system is not repeating stuff for sure. If you see the same user, then likely it is tryiing different credentials 

  0

  Comment actions Permalink
• 

  ridwan

  • April 29, 2026 03:10

  yes it seems after monitoring for a whole week, the schedule run just as scheduled, at 7 am gmt+7, and it run 100657 tries on 1 database server, so is it normal? i just surprised of the combination of the checking.
  thank you for the support.

  0

  Comment actions Permalink
• 

  Firewalla

  • April 29, 2026 16:06

  There is some type of adaptation when scanning, if your scan never stops then let us know, it can be a bug. If it eventually stops, then should be just 'normal'

  If the scan is too expensive for your server (taking CPU, too much logs) you can always exclude the server from scan

  0

  Comment actions Permalink

Please sign in to leave a comment.