USG Flex 200 URL Blocking log
Options
Freshman Member
Since a few days I have the following message in the FW logfiles: URL Blocking - > Botnet URL -> ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUr -> Threat Category -> Malicious Sites.
Once per day, do I need to worry that there is a botnet running or is this harmless?
Once per day, do I need to worry that there is a botnet running or is this harmless?
0
Accepted Solution
-
Hi @Vagabound, and @raph_soc,
Both URL https://e1.o.lencr.org and https://ocsp.pki.goog/ are in correct category now.
As for URL https://x1.c.lencr.org, it is still in Phishing category, we are working on it.
It may need to take 3-5 business days, will update status once it is in correct category.
https://ocsp.pki.goog/
https://e1.o.lencr.org
1
Zyxel Employee
All Replies
-
Looks like you have got a false positive there, at least as long as you can trust Google and the USA.
IANA WHOIS Service: https://www.iana.org/whois?q=ocsp.pki.googcontact: administrativename: TLD Adminorganisation: Google Incaddress: 111 8th Avenueaddress: New York NY 10011address: United States of America (the)phone: +1 404 978 8419fax-no: +1 650 492 5631e-mail: iana-contact@google.com(Note: your URL contains the part "MFEwTzBNMEswSTAJBgUr" which is likely only an individual key for a specific event or computer access, not necessarily anything compromising.)0 -
Thank you for your explanation, so that means I can ignore this message.
Should this URL be whitelisted by the firewall or not change it?
0 -
Hi @Vagabound,The URL ocsp.pki.goog(pki-goog.l.google.com) has been corrected to to Software/Hardware,Technical Information category.Please have a check.
0 -
Thank you for your feedback.
The URL ocsp.pki.goog(pki-goog.l.google.com) no longer appears in the blocklist as far as I can see.
But now a lot of these are in the log file:
e1.o.lencr.org -> Phishing -> 77.109.138.73 -> ACCESS BLOCK
x1.c.lencr.org -> Phishing ->104.79.24.135 -> ACCESS BLOCK
1 -
It seems that the problem with the URL ocsp.pki.goog(pki-goog.l.google.com) is not fixed after all. Just now another log message -> alert -> url-threat-filter -> ACCESS BLOCK -> ocsp.pki.goog: -> Malicious Sites.
0 -
same as Vagaboundlots of x1.c.lencr.org:Phishing the past few daysdestination IP: 23.217.185.252;104.108.45.242;104.93.207.219;104.82.150.7
0 -
Yes, I think Zyxel has a problem there.
I am in contact with the support, but so far no solution. Maybe there is still something coming.
1 -
I will do this as soon as I get a message from the support to solve the problem. Unfortunately, I have not read anything from support for three days. Seems to be a complex problem.
1 -
Hi @Vagabound, and @raph_soc,
Both URL https://e1.o.lencr.org and https://ocsp.pki.goog/ are in correct category now.
As for URL https://x1.c.lencr.org, it is still in Phishing category, we are working on it.
It may need to take 3-5 business days, will update status once it is in correct category.
https://ocsp.pki.goog/
https://e1.o.lencr.org
1
Master Member
Categories
- All Categories
- 395 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 82 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 914 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 415 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
