Can anyone explain this log entries (from an ATP200)

Carlsap
Carlsap Posts: 23  ZCNE Certified
First Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019 10 Comments

In the security policy there is an NAT forward opening for https (443), And this is working fine. But sometimes I see the above entries in the log. Is this a result of the IP reputation entries that zyxel maintains in the ATP200? Is it possible to tune this list locally on the ATP200?

Any suggestions are appreciated

Best Answers

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    As you can see the category of this log is IP reputation, this feature checks the reputation of the IP address from a database, and prevents users from navigating malicious IP address/URL.
    In conclusion, this IP reputation log is irrelevant to the NAT rule. The log means there was traffic toward to malicious IP address 167.248.133.36, and the firewall blocked it. You may check on the host by the source IP of this log.

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    The "Access Forward" is because you have a security policy(15th rule) that allows the traffic. At the same time, IP reputation detected the Source IP is malicious, so "Access Block".
    I would recommend adding the blocked IP address to the whitelist.

    To report the false positive on IP reputation, please use this link, thanks.

All Replies

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    As you can see the category of this log is IP reputation, this feature checks the reputation of the IP address from a database, and prevents users from navigating malicious IP address/URL.
    In conclusion, this IP reputation log is irrelevant to the NAT rule. The log means there was traffic toward to malicious IP address 167.248.133.36, and the firewall blocked it. You may check on the host by the source IP of this log.

  • Carlsap
    Carlsap Posts: 23  ZCNE Certified
    First Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019 10 Comments

    I understand. The blocking function of IP reputation is active only when traffic is towards the malicious ip address.
    Thats why I see "forwarded" in every second line of the log, and there is a blocked when there is a valid response created on the machine behind the NAT.

    This raises another question: How can we report false positives to the IP reputation database?

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    The "Access Forward" is because you have a security policy(15th rule) that allows the traffic. At the same time, IP reputation detected the Source IP is malicious, so "Access Block".
    I would recommend adding the blocked IP address to the whitelist.

    To report the false positive on IP reputation, please use this link, thanks.

  • Carlsap
    Carlsap Posts: 23  ZCNE Certified
    First Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019 10 Comments

    Thank you for the update.
    To open (whitelist) the address undiscriminately would be a very big and expensive mistake.
    Potentially you open up for the bad guys and invite them in to your network.

Security Highlight