Ask any devices or smart home question in the Devices/Security or Network Troubleshooting Categories.
Firewalla Gold info
TL;DR - the Firewalla Gold is pretty flexible; it's not very plug and play & to get it working well with Fingbox involves jumping through some hoops - although it seems that one can get it to mimic the unknown device join blocking functionality of FB on its own at least. However, it does appear to rely on a Firewalla backend service for security features to function.
It's probably worth stating that my ideal scenario when I purchased the FWG was if it played nicely with my Fingbox. It seems the two devices have some overlap in functionality yet each is designed to do things the other doesn't.
As those on the outage thread may recall I purchased the FWG in a rush of nerdish adrenaline when @Bzglwrtz forwarded a link to the device. I knew going in I'd probably need to run the FWG in router mode rather than their simple mode where it functions like a Firewalla Blue or Red and uses ARP spoofing similar to Fingbox. As outlined on this community here https://help.fing.com/knowledge-base/firewall-compatibility/ there is a way to get FWB/R and FB devices working together but it results in falling back to the FW intrusion detection behavior of notification of any new device joining your network rather than the blocking by default and asking for access permission that FB does. I much prefer the latter functionality.
The open questions then were as follows:
Could router mode allow me to have FB work as now, how much of a headache would it be integrating FWG into my network topology and, perhaps most importantly given uptime challenges we've all been facing recently, was the FWG reliant upon a front/backend connection to some Firewalla service that when down/unreachable/overloaded (as any distributed infrastructure experiences from time to time) would all the security features go kaput!
Before setting it up today I read a few reviews. This one https://dongknows.com/firewalla-gold-review/ was interesting for a couple of reasons. For the reviewer, the router setup was too complex and he fell back to simple mode - from my trawling of Firewalla's community site this doesn't match the generally held opinion which is that the router is great. Secondly, he does outline the need for a connection between the Firewalla device and a Firewalla backend. His observations are rooted in privacy concerns and he provides a link to Firewalla's comments on their policy and what is stored/communicated - I believe, however, this is a statement for FWB/R not FWG. More on this later.
I posted some questions to the Firewalla community and got some responses from a Firewalla representative.
Here's the thread you all may find interesting.
My main takeaways from this are:
I will need to use the FWG in full router or DHCP mapping mode - which is subtly different from that on FWB/R but still essentially sets the FWG up to serve DHCP addresses. See https://help.firewalla.com/hc/en-us/articles/115004304114-Everything-about-Firewalla-DHCP-Mode- and note the FWG, unlike B/R, puts the device on the same subnet as the network you're plugging into, rather than an overlayed subnet.
Regardless, if I get either mode above working I can still use Fingbox as is.
You can jump through some hoops and perhaps get default unknown device blocking functionality by quarantining some or all of your network. TBD how this works vs. Fingbox.
Lastly, although not 100% confirmed, my current takeaway from this thread, and some subsequent private back and forth with the FW help desk, is that there appears to be a theoretical single point of failure for at least some security functionality if the FW cloud infrastructure suffers downtime/issues. The 'don't worry about it - servers just always work nowadays' comment made me smile!
Apologies for the wall of text. I hope some of you find this helpful and I'll update this thread if people are still interested if I get more clarity on the FW backend connection and how it works in practice once I've figured out where in the network topology to insert the FWG - at the root, in front of everything else, seems most appropriate but for me this means fiddling about in an outside cupboard and reorganizing a whole bunch of PoE switches, routers and modems. <sigh>