IPSec NATT (udp4500) ADP false udp filtered distributed portscan Action

Options
jurusam
jurusam Posts: 6
First Comment
edited March 2023 in Security

ATP500 fw v5.35

I have logs of ADP:

from WAN to Any, [type:Scan-Detection(49)] udp filtered distributed portscan Action:Drop Packet
Source: {vpn.client.IP}:4500
Destination: {wan.IP}:4500

That logs are with every VPN access connection (L2TP over IPSec with PSK - Windows native client)

I have already changed sensitivity of ADP scan detection to "low" ((portscan) UDP Portscan)
I have added allow list rule for IPSec NATT udp port (udp4500)

How to get exclude rule of ADP to natt udp port - I don't want to disable the "(portscan) UDP Portscan" rule. Or, why zyxel-atp identify vpn-connection as "distributed portscan"??

All Replies

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    I wrote this in the wrong category - it should be in the Security category - someone could change it

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @jurusam,
    You can configure allow list rules to let certain IP addresses or services to bypass ADP flood detection.

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    I already wrote about it - I have enabled that feature - - it doesn' work

    …todays logs:

  • PeterUK
    PeterUK Posts: 2,735  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023
    Options

    Test with any service
    does the problem happen when client does a speed test?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @jurusam,
    In the log, the traffic hits UDP portscan. Try to inactivate "(portscan) UDP Portscan" in ADP profile > Scan Detection and monitor if VPN connection is working. Then give me the remote access information of this ATP500 in private message. We will check if it is false positive.

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    VPN connection is stable (I think) - users didn't say that have problem.

    Today I have 4 vpn clients connected (Windows, Mac and Android) - working with RDP or http browsing of local web. With each of this connection there is log warning of "udp port scan" with action "access block".

    I tried with authentication of local ATP accounts or Win AD accounts - same thing

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    If this "access block" would cause problems with the connection - I would disable the rule. But now there is only warning in ATP device. I prefer to enable this rule to protect against other true port scans

  • vsdanie
    vsdanie Posts: 1
    First Anniversary First Comment
    Options

    The same thing happens to me with my flex500, I have to disable ADP for the ipsec vpn clients to work.
    In my case there are 4 clients that connect from the same office with their laptops using the zyxel IPSec VPN client.
    I have done the option described by jurusam and it does not solve.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 755  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @vsdanie ,

    Greeting Forum, We will have Allow List for ADP Port scan to avoid preventing known IPSec UDP packets.

    The feature is upcoming next FCS firmware April.

    Thank you

Security Highlight