USG60W and flex 200 - V4.62 Insufficient privilege when disabling tcp-portscan from command line

danyedinak
danyedinak Posts: 51  Ally Member
First Comment Friend Collector Sixth Anniversary
edited April 2021 in Security
I have twenty routers to manage, so logging into the web GUI is a non-starter. I need command line functionality.

Just prior to PCI-DSS scans I need to temporarily disable the tcp-port scan to prevent it from being tripped by the scan (although, having whitelisted IPs would be better) and then re-enable after the scan is complete. From the command line (SSH from putty in windows or command line in Debian): 
enable
configure terminal
idp anomaly ADP_PROFILE no scan-detection tcp-portscan activate
% Insufficient privilege

Same username CAN make the change via the web gui, which, again, does not help me solve this problem.

Comments

  • danyedinak
    danyedinak Posts: 51  Ally Member
    First Comment Friend Collector Sixth Anniversary
    Update - entering as a subcommand solves the problem. However, this is still a bug, or the help (when hitting tab) should be changed to remove the option there. There's also a secondary issue with the spelling of anomaly (it's spelled as anomlay).
    Router(config)# idp anomaly ADP_PROFILE
    Router(config-idp-anomlay-profile-ADP_PROFILE)# no scan-detection tcp-portscan activate

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector
    Hi @danyedinak,

    Thank you for your feedback.

    For first issue, please refer to CLI guide. It's normal behavior. That commands need to execute in the sub-command mode.



    For the typo error, we will fix this in the upcoming releases. Please kindly wait for upcoming releases.

    Best regards

Security Highlight