Can anyone explain this log entries (from an ATP200)
ZCNE Certified
In the security policy there is an NAT forward opening for https (443), And this is working fine. But sometimes I see the above entries in the log. Is this a result of the IP reputation entries that zyxel maintains in the ATP200? Is it possible to tune this list locally on the ATP200?
Any suggestions are appreciated
Best Answers
-
As you can see the category of this log is IP reputation, this feature checks the reputation of the IP address from a database, and prevents users from navigating malicious IP address/URL.
In conclusion, this IP reputation log is irrelevant to the NAT rule. The log means there was traffic toward to malicious IP address 167.248.133.36, and the firewall blocked it. You may check on the host by the source IP of this log.0 -
The "Access Forward" is because you have a security policy(15th rule) that allows the traffic. At the same time, IP reputation detected the Source IP is malicious, so "Access Block".
I would recommend adding the blocked IP address to the whitelist.To report the false positive on IP reputation, please use this link, thanks.
0
Zyxel Employee
All Replies
-
As you can see the category of this log is IP reputation, this feature checks the reputation of the IP address from a database, and prevents users from navigating malicious IP address/URL.
In conclusion, this IP reputation log is irrelevant to the NAT rule. The log means there was traffic toward to malicious IP address 167.248.133.36, and the firewall blocked it. You may check on the host by the source IP of this log.0 -
I understand. The blocking function of IP reputation is active only when traffic is towards the malicious ip address.
Thats why I see "forwarded" in every second line of the log, and there is a blocked when there is a valid response created on the machine behind the NAT.This raises another question: How can we report false positives to the IP reputation database?
0 -
The "Access Forward" is because you have a security policy(15th rule) that allows the traffic. At the same time, IP reputation detected the Source IP is malicious, so "Access Block".
I would recommend adding the blocked IP address to the whitelist.To report the false positive on IP reputation, please use this link, thanks.
0 -
Thank you for the update.
To open (whitelist) the address undiscriminately would be a very big and expensive mistake.
Potentially you open up for the bad guys and invite them in to your network.0
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 87 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 917 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 915 Nebula FAQ
- 422 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
