Firewall - Match default rule

Options
follet
follet Posts: 32  Freshman Member
First Anniversary 10 Comments Friend Collector
Hello. After solving the issue with UDP flooding, I see firewall logs:
Firewall - Match default rule, DROP - access block
See screenshot:

So, What does it mean? I use rules double times? I am happy, that these packages have been dropped, but it would be great if you explain to me whether it is good or not...

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,099  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @follet

    Those logs were generated by the last security policy(default rule). Just as smb_corp_user mentioned that it means those IPs didn't hit your existing policies but hit the default rule then the firewall dropped it. The purpose of the default rule is to avoid suspicious IPs trying to access your device or network.


     If you think those logs are too many and too often occur on the Monitor logs even impacting the readability of the Monitor log, you could choose don't appear default rule logs, as below:


    Thanks.

All Replies

  • smb_corp_user
    smb_corp_user Posts: 161  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    As long as the source IP addresses are not allowed access to your network, you should edit the FW rule and select "Do Not Log" for these dropped packages. Dropped packages is usually traffic you do not allow (noise and random sniffing attacks), so all those entries are useless in your logs (unless you have more than enough time to read these logs).
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,099  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @follet

    Those logs were generated by the last security policy(default rule). Just as smb_corp_user mentioned that it means those IPs didn't hit your existing policies but hit the default rule then the firewall dropped it. The purpose of the default rule is to avoid suspicious IPs trying to access your device or network.


     If you think those logs are too many and too often occur on the Monitor logs even impacting the readability of the Monitor log, you could choose don't appear default rule logs, as below:


    Thanks.

Security Highlight