USG 110 - How to create an IP Blacklist?

USG_User Posts: 369  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited January 2022 in Security
Just experiencing a lot of USG Alert Logs containing "abnormal TCP traffic detected" which originates often from same external internet IP addresses.

No.  Date/Time           Source                 Destination           
      Priority            Category               Note                 
 1    2022-01-31 02:27:34 ***.***.***.***                                  
      alert               secure-policy          ACCESS BLOCK                                   
      abnormal tcp traffic detected, destination port is zero, DROP

USG is working fine and drops these attempts. But we are annoyed from the permanent alert log warnings. We don't want to switch-off these "abnormal TCP traffic warnings", but would like to maintain an IP blacklist to let USG directly drop any traffic attempt from these external IPs.
Unfortunately I always have to create a new "service" containing the IP address followed by adding this service to a service group "blacklist" which is addressed in Security Policy for dropping.
Is there a better way to maintain a IP blacklist, preferably adding these non consecutive IPs to a simple list?

All Replies

  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @USG_User,

    currently, your way how to handle looks the only way. It´s a mix between getting still informed about such logs (or disabling the default log level here) or manual maintenance of the blacklisted group.

    As long as this is coming to Firewall Module and not to some UTM module, I don´t see adjustment possibilities here.

    Please post it into the Idea Section in case you may want to add this into some UTM features as Auto-detection in the future.


  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Thanks Tobias, already assumed that there is no simplier solution available.

Security Highlight