ATP500 log (IKE and failed login)
Freshman Member
recently i was checking the log of my ATP500 and i have seen a sequence of rows concerning some events of the IKE user. As i do not have any user named IKE, i would like to know what these logs are.
(see image below)
At the same time i have seen a sequence of failed login attempt, all from the same ip address.
Of course it is a malicious attack, but i wonder why the event repeat so often (more the one time per second) and so many times, i thought the zyxel would "black list" the ip and ignore this IP after a few attempts. Why this is not happening? Thanks in advance.
Filippo
All Replies
-
Hi @xkp68The IKE means category name of logs, not a user name.Additionally, “NO_PROPOSAL_CHOSEN” log message means VPN phase 1 or phase 2 is mismatched lead to the VPN connection can’t be established, need to check the VPN encryption and authentication algorithms if are the same on both sites.
In your case, Zyxel device won’t block a specific IP address actively.
Unless the UTM feature detects it’s an attack and will block this session.
You can set a security policy to block this IP address, please refer to the below:
Create an IP address object.
Set a security policy to block sessions from this IP address.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
thanks for the reply.
1)My main concern was about the fact i have no users outside my country and i see this "info" logs from USA (i m not in the USA). As the logs are in the info category it is not clear to me if there is an intrusion or not. Moreover my only VPN was a SSL VPN and till now i have never seen any IKE log message.
Of course the IPs of the the malicius attack is the same for a few minutes, then it changes so i cannot add a policy every time. by hand.
Does my ATP500 have the UTM Feature?
It is normal to have all those malicius attack on the firewall? Consider that ftp, ssh is blocked toward the zyxel device, as well as it is possible to manage the only from inside my LAN and i have MFA enabled for its administration. any other thing i can do to prevent these attacks?
Thanks.
0 -
Hi @xkp68
(1).
It seems that there is USA IP try to establish IPsec VPN tunnel to your ATP500, but it failed due to “No_Proposal_Chosen”. If you have concern about this, you can block this IP.
(2).
ATP500 has UTM features and you can enable them.
To avoid intrusion attacks, you can enable ADP and IDP features on you ATP500.
You could refer to this introduction:
https://www.zyxel.com/us/en/products_services/ATP-Firewall-ZyWALL-ATP500/
https://www.zyxel.com/us/en/products_services/ATP-Firewall-ZyWALL-ATP500/license-and-spec
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 238 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
