Reputation filter not working?

Options
SecuRing
SecuRing Posts: 9
First Comment

On my Flex 500 I see logs like this (IP reputation is enabled):

May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"

Why is this traffic forwarded??

If I enter the IP into "IP to test" the result is:

Reputation filter settings:

Thanks.

Dieter

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 795  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @SecuRing ,

    If the types of reputation include "Botnets", the repurtaion filter will block outgoing/incoming traffic.

    If the types of reputation doesn't include "Botnets", it only block incoming traffic.

    For example:

    1)FORWARD is correct because no "Botnets"

    May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"

    2)BLOCK is correct because there is "Botnets"

    May 1 08:25:06 xxxxxxxx May 1 08:25:06 2023 xxxxxx src="192.168.10.21:25121" dst="81.169.145.94:443" msg="Malicious connection:Exploits,BotNets,Phishing" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="IP Reputation"

    Thank you

«1

All Replies

  • WJS
    WJS Posts: 142  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    It will be applied if traffic FROM internet.

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    Thanks for your answer. I already saw that. But why is the outgoing traffic being logged? Does not make any sense if the traffic will be forwarded unconditionally.

    I would consider it a good idea to not communicate with suspicious targets at all or to have an option to do that.

    I became aware of this "problem" since I saw outgoing traffic being blocked by IP reputation:
    May 1 08:25:06 xxxxxxxx May 1 08:25:06 2023 xxxxxx src="192.168.10.21:25121" dst="81.169.145.94:443" msg="Malicious connection:Exploits,BotNets,Phishing" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="IP Reputation"

    Therefore I searched the logs and found what I consider inconsistent behavior. For the last 30 days I found 605 entries (outgoing traffic) blocked by IP reputation and 486 forwards (I forward the logs to Splunk what results in a history that can nicely be searched).
    Since the device blocks/forwards pings accordingly I suspect that the category will determine whether or not IP reputation blocks/forwards outgoing traffic. But there is no evidence when this would happen.

    Would be nice if Zyxel could comment on that.

    Dieter

  • WJS
    WJS Posts: 142  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    well. can you check if the logs from USGFLEX ?

    As I knew, FLEX doesn't have this feature. (IP reputation)

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    These are from the logs of the device.

    So lets wait if Zyxel hopefully sheds some light on that.

    Dieter

  • SDWinkelman
    SDWinkelman Posts: 6  Freshman Member
    First Anniversary First Comment
    edited May 2023
    Options

    I use the ATP500 and agree that something seems amiss with the reputation filter. It seems to have been since the last firmware update. I have an external DB with quite a number of addresses that should b blocked but now seem to be getting past. It was typical to see the log show numerous addresses as they were being blocked (both from my list and the others that were deemed bad by Zyxel), but now there is NOTHING showing as blocked… but it does show a lot of traffic being forwarded! Additionally, the report it's configured to send weekly now shows all zeros under the reputation filter section.

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    You may be right. I searched through my 6 months history of logs and the first forward I found is on April 27 (only blocks prior to this date). However I upgraded my device from 5.35 to 5.36 on April 24 which is in contradiction with the firmware hypothesis. Maybe an update of the reputation filter DB caused the problem?

    Another thought: I enabled the reputation filter white list since a customers site was not reachable due to reputation filter (single IP). I did that on April 27. I will now disable the white list and see if that changes the behavior.

  • SDWinkelman
    SDWinkelman Posts: 6  Freshman Member
    First Anniversary First Comment
    edited May 2023
    Options

    It's a theory since I didn't observe the issue until after I applied the new firmware update on 4/22. In reviewing the history on SecuReporter, I can confirm that's when the IP reputation detections all dropped to zero - so there does seem to be some correlation.

    Just for grins, I reverted back to V5.35 and the problem remains! I compared the config files from before the upgrade to the current one and nothing seems to stand out there either.

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    Disabling the white list does not change the behavior too.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 795  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @SecuRing ,

    Greeting Forum, I am running FLEX500 with 5.36 but can't find the same issue .

    Please kindly send your config file by private message.

    Thank you

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    Unfortunately I can't do that due to compliance rules. However I can give you the IP reputation config since that is not related to other services.

    Two questions:

    Is the reputation filter supposed to block outgoing traffic?

    If the answer is yes: If I configure to block traffic how comes that the device forwards traffic?

Security Highlight