ATP 800 ADP white lists

alexey
alexey Posts: 188  Master Member
First Comment Friend Collector Fifth Anniversary
edited April 2023 in Security

We replace 2 usg1100 to 2 atp800.

Config were convert via converter.

After that each atp has many ADP alerts on any connections between sites (tcp/udp port scan), some aplications (as exchange DAG group, SIP, AD) stop work propely. Adding them to whitelist don't help.

How i can whitelist some addresses wo disable ADP between sites?

Other example:

src="client_ip:33462" dst="dns_ip:853" msg="Rule_id:2 from IPSec_VPN to Any, [type:TCP-Decoder(70)] obsolete-options Action:Drop Packet" note="ACCESS BLOCK" user="unknown" devID="aabbccddeeff" cat="ADP" class="" act="Drop Packet" sid=70 ob="0" ob_mac="000000000000"

ADP block DNS TLS request. How i can whitelist dns_tls to dns server?

FW V5.35(ABIQ.0)ITS-23WK12-0331-230301541 / 2023-03-31 09:04:28

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 934  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @alexey ,

    Greeting Forum, Please kindly set the Allow List for ADP service.

    Image 42.png

    If the issue peresist, Please kindly share the related logs and config file by private message.

    Thank you

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    edited April 2023

    Hello @Zyxel_Kevin

    I wrote on 4th line of question that "Adding them to whitelist don't help"

    Config:

    service-object DNS_TLS tcp eq 853

    idp anomaly white-list activate

    idp anomaly white-list allow_dns_tls
    source local_range_ip destination dns service DNS_TLS
    activate

    Traffick blocks with messages

    src="ip_from_ local_range_ip:43108" dst=dns:853" msg="Rule_id:2 from IPSec_VPN to Any, [type:TCP-Decoder(70)] obsolete-options Action:Drop Packet" note="ACCESS BLOCK" user="unknown" devID="aabbccddeeff" cat="ADP" class="" act="Drop Packet" sid=70 ob="0" ob_mac="000000000000"

    Send config and logs to PM.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 934  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @alexey ,

    The Allow list only for "Flooding Detection".

    Image 62.png

    We would recommend that applying other ADP Profiles for the rule.

    For example: you will have profile "customize_profile" and set Action "none" for TCP Decoder.

    Image 63.png

    Thank you