Reputation filter not working?

Options
2»

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 814  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @SecuRing ,

    If the types of reputation include "Botnets", the repurtaion filter will block outgoing/incoming traffic.

    If the types of reputation doesn't include "Botnets", it only block incoming traffic.

    For example:

    1)FORWARD is correct because no "Botnets"

    May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"

    2)BLOCK is correct because there is "Botnets"

    May 1 08:25:06 xxxxxxxx May 1 08:25:06 2023 xxxxxx src="192.168.10.21:25121" dst="81.169.145.94:443" msg="Malicious connection:Exploits,BotNets,Phishing" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="IP Reputation"

    Thank you

    Share yours now! https://bit.ly/4aO0BMF

    Kevin

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    OK, thanks.

    It would be a good idea to add this information to the documentation.

    Just a suggestion for future improvement: add an option that blocks outgoing traffic anyway and/or enhance external block list to add a category (e. g. Botnets).

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 814  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Thanks your suggestion. We will evaluate that.

    Thank you

    Share yours now! https://bit.ly/4aO0BMF

    Kevin

  • SDWinkelman
    SDWinkelman Posts: 6  Freshman Member
    First Anniversary First Comment
    edited May 2023
    Options

    Still looking for a solution - for me, it's almost as if the service was disabled as of 4/22. Same for the other related "Reputation" features (URL/DNS)

    I have confirmed that inbound traffic from addresses in the block lists is being passed through and with nothing showing in the logs. I was previously able to see items in the (IP Reputation) log showing the traffic being blocked… but now nothing!

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    Maybe this is a monitoring issue. Device monitoring shows block counts 0/2/0 for reputation filter (IP/DNS/URL; scanned: 39180/19531/9753). However if I look into the logs forwarded to Splunk I see block counts 0/2/4821!

    Examples:

    May 3 07:25:49 xxxxxxxxxxxx May 3 07:25:49 2023 xxxxxxxxxxxx src="192.168.10.8:50034" dst="192.168.10.1:53" msg="covidid.com:Malicious Sites" note="DNS REDIRECT" user="unknown" devID="xxxxxxxxxxxx" cat="DNS Filter"

    May 3 20:00:02 xxxxxxxxxxxx May 3 20:00:02 2023 xxxxxxxxxxxx src="192.168.10.21:52662" dst="142.250.185.198:443" msg="fls.doubleclick.net:Block List, Rule_name=BLOCK_AD_STATISTICS, SSI=N" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="URL Threat Filter"

  • SDWinkelman
    SDWinkelman Posts: 6  Freshman Member
    First Anniversary First Comment
    Options

    I don't think so - I see absolutely nothing logged (IP Reputation)for traffic from "blocked" addresses (or any external address for that matter), and I can still access resources from them as well, which suggests to me that it is not working.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 814  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @SecuRing ,

    I am sorry that I have to correct my statement:

    Forward logs should not appear.

    1)FORWARD is correct because no "Botnets"

    May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"

    But the issue cannot be reproduced in my side. Forward logs doesn't exist when I accessed 37.48.65.155. Could you send the diag-info by private message ?

    Hi @SDWinkelman ,

    Could you share your diag-info by private ?

    Thank you

    Share yours now! https://bit.ly/4aO0BMF

    Kevin

  • SecuRing
    SecuRing Posts: 9
    First Comment
    Options

    diag-info sent.

Security Highlight