ADP detections from subnet but source is WAN?

Ensto
Ensto Posts: 20  Freshman Member
First Comment Friend Collector Second Anniversary
edited July 2021 in Security
Hi.

So I recently added some ADP profiles on my USG20W-VPN for monitoring my internal subnet traffic from LAN to ANY beside the default ADP profile from WAN traffic. And it didn't take long before the first scan detection warning appeared (Rule_id=3 from LAN2 to Any, [type=Scan-Detection(28)] tcp portsweep Action: Drop Packet). But the source IP is a public IP adress and destination is my iPhone. I don't get it, how is this traffic route possible from an internal subnet?

Accepted Solution

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector
    Answer ✓
    Hi @Ensto,

    In that log message it writes from LAN1 because the session of that packet initiated from LAN1's client(192.168.1.34), targetting to public IP address.

    But the packet was replied from public IP address's port 443, targetting to LAN1's port 5783.

    That packet was flagged from ADP engine as malicious so ACCESS BLOCKed.

All Replies

  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @Ensto,

    Please share some information with us for better understanding:

    Do you mean you scanned your UGS20W-VPN's ports using a software?

    In your message you said the source IP is the public IP address of your iPhone. 
    Did you scan your USG20W-VPN's ports with your iPhone?

    If these are not true, can you please describe the symptom in more details? How did the ADP triggered?


  • Ensto
    Ensto Posts: 20  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited August 2021
    Zyxel_Can said:

    Hi @Ensto,

    Please share some information with us for better understanding:

    Do you mean you scanned your UGS20W-VPN's ports using a software?

    In your message you said the source IP is the public IP address of your iPhone. 
    Did you scan your USG20W-VPN's ports with your iPhone?

    If these are not true, can you please describe the symptom in more details? How did the ADP triggered?



    To clarify I did not scan my USG, just random browsing. When I added the ADP profiles in my USG to check traffic inside my internal LAN's the detections started to appear. But it seems very random. I have highlighted the detection log (number 10) in ''RED'' which I don't understand and how the traffic route can apply to the rule ''from LAN1 to ANY''.


  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector
    Answer ✓
    Hi @Ensto,

    In that log message it writes from LAN1 because the session of that packet initiated from LAN1's client(192.168.1.34), targetting to public IP address.

    But the packet was replied from public IP address's port 443, targetting to LAN1's port 5783.

    That packet was flagged from ADP engine as malicious so ACCESS BLOCKed.

Security Highlight