ADP detections from subnet but source is WAN?
So I recently added some ADP profiles on my USG20W-VPN for monitoring my internal subnet traffic from LAN to ANY beside the default ADP profile from WAN traffic. And it didn't take long before the first scan detection warning appeared (Rule_id=3 from LAN2 to Any, [type=Scan-Detection(28)] tcp portsweep Action: Drop Packet). But the source IP is a public IP adress and destination is my iPhone. I don't get it, how is this traffic route possible from an internal subnet?
Accepted Solution
-
Hi @Ensto,
In that log message it writes from LAN1 because the session of that packet initiated from LAN1's client(192.168.1.34), targetting to public IP address.
But the packet was replied from public IP address's port 443, targetting to LAN1's port 5783.
That packet was flagged from ADP engine as malicious so ACCESS BLOCKed.
0
All Replies
-
Hi @Ensto,
Please share some information with us for better understanding:
Do you mean you scanned your UGS20W-VPN's ports using a software?
In your message you said the source IP is the public IP address of your iPhone. Did you scan your USG20W-VPN's ports with your iPhone?If these are not true, can you please describe the symptom in more details? How did the ADP triggered?
0 -
Zyxel_Can said:
Hi @Ensto,
Please share some information with us for better understanding:
Do you mean you scanned your UGS20W-VPN's ports using a software?
In your message you said the source IP is the public IP address of your iPhone. Did you scan your USG20W-VPN's ports with your iPhone?If these are not true, can you please describe the symptom in more details? How did the ADP triggered?
To clarify I did not scan my USG, just random browsing. When I added the ADP profiles in my USG to check traffic inside my internal LAN's the detections started to appear. But it seems very random. I have highlighted the detection log (number 10) in ''RED'' which I don't understand and how the traffic route can apply to the rule ''from LAN1 to ANY''.0 -
Hi @Ensto,
In that log message it writes from LAN1 because the session of that packet initiated from LAN1's client(192.168.1.34), targetting to public IP address.
But the packet was replied from public IP address's port 443, targetting to LAN1's port 5783.
That packet was flagged from ADP engine as malicious so ACCESS BLOCKed.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight