IPSec NATT (udp4500) ADP false udp filtered distributed portscan Action

Options
jurusam
jurusam Posts: 6
First Comment
edited March 2023 in Security

ATP500 fw v5.35

I have logs of ADP:

from WAN to Any, [type:Scan-Detection(49)] udp filtered distributed portscan Action:Drop Packet
Source: {vpn.client.IP}:4500
Destination: {wan.IP}:4500

That logs are with every VPN access connection (L2TP over IPSec with PSK - Windows native client)

I have already changed sensitivity of ADP scan detection to "low" ((portscan) UDP Portscan)
I have added allow list rule for IPSec NATT udp port (udp4500)

How to get exclude rule of ADP to natt udp port - I don't want to disable the "(portscan) UDP Portscan" rule. Or, why zyxel-atp identify vpn-connection as "distributed portscan"??

All Replies

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    I wrote this in the wrong category - it should be in the Security category - someone could change it

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @jurusam,
    You can configure allow list rules to let certain IP addresses or services to bypass ADP flood detection.

    adp_bypass.jpg

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    I already wrote about it - I have enabled that feature - - it doesn' work

    …todays logs:

    image.png
    image.png

  • PeterUK
    PeterUK Posts: 2,761  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023
    Options

    Test with any service
    does the problem happen when client does a speed test?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @jurusam,
    In the log, the traffic hits UDP portscan. Try to inactivate "(portscan) UDP Portscan" in ADP profile > Scan Detection and monitor if VPN connection is working. Then give me the remote access information of this ATP500 in private message. We will check if it is false positive.

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    VPN connection is stable (I think) - users didn't say that have problem.

    Today I have 4 vpn clients connected (Windows, Mac and Android) - working with RDP or http browsing of local web. With each of this connection there is log warning of "udp port scan" with action "access block".

    I tried with authentication of local ATP accounts or Win AD accounts - same thing

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    If this "access block" would cause problems with the connection - I would disable the rule. But now there is only warning in ATP device. I prefer to enable this rule to protect against other true port scans

  • vsdanie
    vsdanie Posts: 1
    First Anniversary First Comment
    Options

    The same thing happens to me with my flex500, I have to disable ADP for the ipsec vpn clients to work.
    In my case there are 4 clients that connect from the same office with their laptops using the zyxel IPSec VPN client.
    I have done the option described by jurusam and it does not solve.

    imagen.png

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 767  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @vsdanie ,

    Greeting Forum, We will have Allow List for ADP Port scan to avoid preventing known IPSec UDP packets.

    The feature is upcoming next FCS firmware April.

    Thank you

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)