![[Help] Active Protect blocking benign destinations on Ineligible device — no toggle to disable](https://external-preview.redd.it/Q2Lg9AxViZ76QTeCwWVwdUrSyoAL07tiMt9GynJpEH0.png?width=1080&crop=smart&auto=webp&s=a3dd5bc3ed815f94e9baf13f39fe3f97118c8dee)
[Help] Active Protect blocking benign destinations on Ineligible device — no toggle to disable
I have a server that Firewalla has marked as "Ineligible" for Active Protect because the host uses my internal AD server as its DNS resolver instead of Firewalla. The AD server forwards external lookups to Firewalla, so DNS still ultimately flows through Firewalla — but the client points at AD so it can resolve internal records.
The issue: even though Active Protect shows "Status: Ineligible" on the device page with no toggle, it is still actively blocking outbound flows from this host. Every blocked flow's detail page says "Feature Matched: Device Active Protect." Destinations being blocked include:
- The vendor's official update server (blocked on its scheduled update check, every couple hours)
github.comand*.githubusercontent.com- Several common container registries
*.pool.ntp.org(NTP time sync)1.1.1.1:443
None of these are threats. Confirmed via tcpdump on the host that the SYN goes out clean and a spoofed RST comes back ~1.8ms later, which matches Firewalla's flow-blocking method.
This has been going on chronically — the History tab shows blocks at regular intervals across the entire day. I only noticed because the server started emailing me about failed automated tasks that depend on these destinations.
Questions:
- Is there any way to disable Active Protect's flow blocking on an Ineligible device? The "no toggle when Ineligible" UX seems wrong — the user has clearly made a deliberate DNS choice, and there should still be a way to opt out of flow inspection.
- Why is Active Protect's threat intel flagging destinations like a vendor update server, github.com, and NTP pool in the first place? Is there a category-based block (Cloud / CDN / Public DNS / etc.) catching these that I'm not seeing exposed in the UI?
- Will scoped Allow rules (domain-based, scoped to this device) override Active Protect blocks, or is there a precedence issue?
- Is "switch the host's DNS to Firewalla to regain Eligibility" really the only supported path? I'd rather not give up internal name resolution on the server.
Setup: Firewalla Gold, firmware 1.982.
Happy to share screenshots or packet captures if helpful.