ATP 800 ADP white lists

Options
alexey
alexey Posts: 188  Master Member
First Anniversary 10 Comments Friend Collector
edited April 2023 in Security

We replace 2 usg1100 to 2 atp800.

Config were convert via converter.

After that each atp has many ADP alerts on any connections between sites (tcp/udp port scan), some aplications (as exchange DAG group, SIP, AD) stop work propely. Adding them to whitelist don't help.

How i can whitelist some addresses wo disable ADP between sites?

Other example:

src="client_ip:33462" dst="dns_ip:853" msg="Rule_id:2 from IPSec_VPN to Any, [type:TCP-Decoder(70)] obsolete-options Action:Drop Packet" note="ACCESS BLOCK" user="unknown" devID="aabbccddeeff" cat="ADP" class="" act="Drop Packet" sid=70 ob="0" ob_mac="000000000000"

ADP block DNS TLS request. How i can whitelist dns_tls to dns server?

FW V5.35(ABIQ.0)ITS-23WK12-0331-230301541 / 2023-03-31 09:04:28

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 764  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @alexey ,

    Greeting Forum, Please kindly set the Allow List for ADP service.

    If the issue peresist, Please kindly share the related logs and config file by private message.

    Thank you

  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector
    edited April 2023
    Options

    Hello @Zyxel_Kevin

    I wrote on 4th line of question that "Adding them to whitelist don't help"

    Config:

    service-object DNS_TLS tcp eq 853

    idp anomaly white-list activate

    idp anomaly white-list allow_dns_tls
    source local_range_ip destination dns service DNS_TLS
    activate

    Traffick blocks with messages

    src="ip_from_ local_range_ip:43108" dst=dns:853" msg="Rule_id:2 from IPSec_VPN to Any, [type:TCP-Decoder(70)] obsolete-options Action:Drop Packet" note="ACCESS BLOCK" user="unknown" devID="aabbccddeeff" cat="ADP" class="" act="Drop Packet" sid=70 ob="0" ob_mac="000000000000"

    Send config and logs to PM.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 764  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @alexey ,

    The Allow list only for "Flooding Detection".

    We would recommend that applying other ADP Profiles for the rule.

    For example: you will have profile "customize_profile" and set Action "none" for TCP Decoder.

    Thank you

Security Highlight