Firewall - Match default rule

follet

Hello. After solving the issue with UDP flooding, I see firewall logs:

Firewall - Match default rule, DROP - access block

See screenshot:

So, What does it mean? I use rules double times? I am happy, that these packages have been dropped, but it would be great if you explain to me whether it is good or not...

Zyxel_Jeff

Hi @follet

Those logs were generated by the last security policy(default rule). Just as smb_corp_user mentioned that it means those IPs didn't hit your existing policies but hit the default rule then the firewall dropped it. The purpose of the default rule is to avoid suspicious IPs trying to access your device or network.


 If you think those logs are too many and too often occur on the Monitor logs even impacting the readability of the Monitor log, you could choose don't appear default rule logs, as below:


Thanks.

smb_corp_user

As long as the source IP addresses are not allowed access to your network, you should edit the FW rule and select "Do Not Log" for these dropped packages. Dropped packages is usually traffic you do not allow (noise and random sniffing attacks), so all those entries are useless in your logs (unless you have more than enough time to read these logs).

Zyxel_Jeff

Hi @follet

Those logs were generated by the last security policy(default rule). Just as smb_corp_user mentioned that it means those IPs didn't hit your existing policies but hit the default rule then the firewall dropped it. The purpose of the default rule is to avoid suspicious IPs trying to access your device or network.


 If you think those logs are too many and too often occur on the Monitor logs even impacting the readability of the Monitor log, you could choose don't appear default rule logs, as below:


Thanks.