Outbound Apple push notifications blocked

Kitone
Kitone Posts: 3
First Comment
edited April 2021 in Security
Hi all, this is Kit, at my first post.

All my USGs (50, 110, 210) block outbound Apple push notifications with log entries (about 15 of them every time a macOS machine boots) like the sample below:

x.x.x.x:51872                 17.188.164.137:2196                 alert               secure-policy                 ACCESS BLOCK                 abnormal TCP flag attack detected, DROP
— I tried explicitly allowing APN traffic to Apple's 17.x.x.x block in Policy Control, with no avail.
— 
I tried disabling TCP Decoder Protocol Anomalies in ADP, with no avail.

If you ever encountered a similar 
phenomenon, kindly advise.

Thank you.

All Replies

  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Can you explain further? I can't understand what's the requirement in your post.
  • Kitone
    Kitone Posts: 3
    First Comment

    Thank you for replying — and sorry for being vague.

    1. First, I would like to know if other people noticed something similar.
    2. Secondly, I would like to understand why that traffic is being blocked (it seems legit to me).
    3. Thirdly, I would like to allow that traffic so the machines are able to contact APN servers on Apple’s 17.x.x.x block.
    I would appreciate any hint on how to approach this. Thanks.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Kitone,

     

    USG110/USG210

    Enter the CLI command to disable/enable abnormal tcp flags detect.

    Disable detect: secure-policy abnormal_tcp_flag_detect deactivate

    Enable detect: secure-policy abnormal_tcp_flag_detect activate

     

    For example:

    Router(config)# secure-policy abnormal_tcp_flag_detect deactivate

    Router(config)# write

    Router(config)# show secure-policy status

    secure-policy status: yes

    secure-policy asymmetrical route status: no

    secure-policy default rule: deny, log

    secure-policy tcp flag detect: no             

     

    USG50

    You need to upgrade to the latest date firmware to use the following commands.

    I will send you the download link via private message.

     

    Enter the CLI command to disable/enable abnormal tcp flags detect.

    Disable detect: firewall abnormal_tcp_flag_detect deactivate

    Enable detect: firewall abnormal_tcp_flag_detect activate

     

    For example:

    Router(config)# firewall abnormal_tcp_flag_detect deactivate

    Router(config)# write

    Router(config)# show firewall status

    firewall status: yes

    firewall asymmetrical route status: no

    firewall default rule: deny, log

    firewall tcp flag detect: no
  • Kitone
    Kitone Posts: 3
    First Comment
    Hello Zyxel_Emily,

    Thank you for the answer. I'll try as per your advice and report on the outcome back here.

    Thank you,
    Kit

Security Highlight