abnormal tcp traffic detected, source port is zero, DROP

B_IT

For several weeks now, I have been seeing repeated log entries on multiple Zyxel firewalls (Flex 700 & 100, USG110, ATP200) related to abnormal TCP traffic from the same Bulgarian IP addresses. Based on my research, including responses from Zyxel, these log entries appear to be necessary for the devices to remain licensed.

The Bulgarian IP addresses have already been blacklisted in multiple ways, so there is no security risk. However, the log remains cluttered with these entries, making it difficult to identify other important logs that require investigation. Disabling security logging, as suggested, is not a viable solution.

Apart from the command mentioned in this article:

https://support.zyxel.eu/hc/en-us/articles/360001445493-Firewall-Abnormal-TCP-flag-attack-detected#introduction-0

Is there any other way to suppress these log entries?

Zyxel_Judy

HI @B_IT ,

Currently, logs with the message "Abnormal TCP traffic detected, source port is zero, DROP" are categorized under "Security Policy Control."

In the upcoming 5.40 official firmware, they will be moved to the "Debug Log" category.

Zyxel_Judy

Hi @B_IT ,

Do you mean you don’t want to see the log message "Abnormal TCP traffic detected, source port is zero, DROP" in the firewall’s GUI, or are you referring to something else?

B_IT

Hi Judy, exactly, I want suppress all the "Abnormal TCP traffic detected, source port is zero, DROP", but only these ones.

Zyxel_Judy

HI @B_IT ,

Currently, logs with the message "Abnormal TCP traffic detected, source port is zero, DROP" are categorized under "Security Policy Control."

In the upcoming 5.40 official firmware, they will be moved to the "Debug Log" category.