ZLD 5.40 Update: Abnormal TCP/UDP Traffic Detection Logs Now Set to Debug Level

Zyxel_Claudia

New in ZLD firmware version 5.40, this enhancement improves log management and provides clearer information for diagnosing abnormal traffic behaviors.

Overview

Firewalls are designed to detect and drop suspicious traffic that may indicate potential threats. One such behavior is TCP or UDP traffic with a source or destination port set to zero—a scenario considered abnormal and thus automatically dropped by the system.

Previously, these events generated logs at the Normal level, which could clutter reports and logs during high-frequency occurrences.

The Change in ZLD 5.40

Starting with firmware v5.40, the log level for these events has been modified from Normal to Debug, streamlining the logging process for administrators:

• abnormal TCP traffic detected, source port is zero, DROP
• abnormal TCP traffic detected, destination port is zero, DROP
• abnormal UDP traffic detected, source port is zero, DROP
• abnormal UDP traffic detected, destination port is zero, DROP

This change means that, under default logging settings, such messages will no longer appear unless explicitly configured.

Default Behavior

By default, the Security Policy Control log category is set to Normal, so these abnormal traffic logs will no longer show up in regular system logs.

How to Verify Abnormal Traffic Logs

If you're troubleshooting or need to confirm the presence of abnormal traffic, you can temporarily switch the logging level to Debug:

1. Navigate to CONFIGURATION > Log & Report > Log Settings > Log Category Settings.
2. Change the category setting to Debug Log.
3. View the detailed debug logs which now include “Invalid TCP / UDP traffic detected, source / destination port is zero, DROP”.

This approach allows administrators to access the necessary data when needed, without overwhelming their default logs with benign but frequent entries.