Where to disable alert log for: "abnormal TCP traffic detected"

2»

All Replies

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Tobias,
    Hope your colleagues are back on track this week and could take a look since these "destination port zero" abnormal TCP traffic alert logs are annoying. Between these "destination port zero" packets we are also receiving "source port zero" warnings. They will also being dropped but the alert log by email will be sent out as well.

  • Emerald
    Emerald Posts: 36  Freshman Member
    First Comment Fifth Anniversary
    Hi there,
    Anything come of this ?
    I have this exact same issue on a >

    Model Name:ZyWALL 310


    im getting the below 30 -40 times a day

    No.  Date/Time           Source                 Destination          

         Priority            Category               Note                 

         Message

    1    2022-02-08 16:38:26 x.x.x.x:23702                             x.x.x.x                                

         alert               secure-policy          ACCESS BLOCK                                   

         abnormal tcp traffic detected, destination port is zero, DROP



    Thanks in advance

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @USG_User @Emerald

    The port zero shouldn't exist in real network environment, so it means your device received unsafe traffic. So system blocks the traffic and logged it.
    We have planed change the log level as "debug level" in the future, then system will not notify this attack as alert.
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited February 2022
    Thanks Stanley,
    It's undisputable that this kind of traffic is unsafe. Further the USG drops these packets as expected. All is fine in this connection.

    Only the way how USG is reporting it, is confusing. Here I wouldn't go so far changing the log level to "debug". From my point of view this kind of traffic belongs to "Anomaly Detection and Prevention" (ADP) and any log or alert log handling should be controlled via ADP log settings. This is my first note.

    Since this (log settings) is presently not working, I've added an additional Security Policy Rule for that suspicious IP where the "port zero" packets mostly originated from. This rule should drop any packets from this IP without logging (means without normal or alert log). But it also doesn't work. USG is still sending alert logs out. Why? This is my second note in this regard.

    Seems the processing of such bluddy packets takes place even before the security policy handling, isn't it?

Security Highlight