Can anyone explain this log entries (from an ATP200)
In the security policy there is an NAT forward opening for https (443), And this is working fine. But sometimes I see the above entries in the log. Is this a result of the IP reputation entries that zyxel maintains in the ATP200? Is it possible to tune this list locally on the ATP200?
Any suggestions are appreciated
Best Answers
-
As you can see the category of this log is IP reputation, this feature checks the reputation of the IP address from a database, and prevents users from navigating malicious IP address/URL.
In conclusion, this IP reputation log is irrelevant to the NAT rule. The log means there was traffic toward to malicious IP address 167.248.133.36, and the firewall blocked it. You may check on the host by the source IP of this log.0 -
The "Access Forward" is because you have a security policy(15th rule) that allows the traffic. At the same time, IP reputation detected the Source IP is malicious, so "Access Block".
I would recommend adding the blocked IP address to the whitelist.To report the false positive on IP reputation, please use this link, thanks.
0
All Replies
-
As you can see the category of this log is IP reputation, this feature checks the reputation of the IP address from a database, and prevents users from navigating malicious IP address/URL.
In conclusion, this IP reputation log is irrelevant to the NAT rule. The log means there was traffic toward to malicious IP address 167.248.133.36, and the firewall blocked it. You may check on the host by the source IP of this log.0 -
I understand. The blocking function of IP reputation is active only when traffic is towards the malicious ip address.
Thats why I see "forwarded" in every second line of the log, and there is a blocked when there is a valid response created on the machine behind the NAT.This raises another question: How can we report false positives to the IP reputation database?
0 -
The "Access Forward" is because you have a security policy(15th rule) that allows the traffic. At the same time, IP reputation detected the Source IP is malicious, so "Access Block".
I would recommend adding the blocked IP address to the whitelist.To report the false positive on IP reputation, please use this link, thanks.
0 -
Thank you for the update.
To open (whitelist) the address undiscriminately would be a very big and expensive mistake.
Potentially you open up for the bad guys and invite them in to your network.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.6K Security
- 246 USG FLEX H Series
- 268 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 248 Service & License
- 386 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.4K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 84 About Community
- 72 Security Highlight