USG 110 - How to create an IP Blacklist?

USG_User

Just experiencing a lot of USG Alert Logs containing "abnormal TCP traffic detected" which originates often from same external internet IP addresses.

No.  Date/Time           Source                 Destination           
      Priority            Category               Note                 
      Message
 1    2022-01-31 02:27:34 119.1.169.252:48336 ***.***.***.***                                  
      alert               secure-policy          ACCESS BLOCK                                   
      abnormal tcp traffic detected, destination port is zero, DROP

USG is working fine and drops these attempts. But we are annoyed from the permanent alert log warnings. We don't want to switch-off these "abnormal TCP traffic warnings", but would like to maintain an IP blacklist to let USG directly drop any traffic attempt from these external IPs.

Unfortunately I always have to create a new "service" containing the IP address followed by adding this service to a service group "blacklist" which is addressed in Security Policy for dropping.

Is there a better way to maintain a IP blacklist, preferably adding these non consecutive IPs to a simple list?

Zyxel_Tobias

Hi @USG_User,

currently, your way how to handle looks the only way. It´s a mix between getting still informed about such logs (or disabling the default log level here) or manual maintenance of the blacklisted group.

As long as this is coming to Firewall Module and not to some UTM module, I don´t see adjustment possibilities here.

Please post it into the Idea Section in case you may want to add this into some UTM features as Auto-detection in the future.

https://community.zyxel.com/en/categories/security-ideas

Thanks.

Tobias

USG_User

Thanks Tobias, already assumed that there is no simplier solution available.