IP Reputation System Protect Enhancement in Firmware 1.35: Improved VPN Compatibility

Zyxel_Lynn
Zyxel_Lynn Posts: 71  Zyxel Employee
5 Answers First Comment Friend Collector
edited August 26 in Other Topics

In Zyxel firmware version 1.35, we've introduced a crucial update to the IP Reputation System Protect feature to resolve a long-standing challenge affecting VPN tunnel establishment—especially when dealing with public IPs flagged as malicious.

The Problem: VPN Tunnel Fails Due to IP Reputation Blocking

Some users encountered issues when establishing VPN tunnels, especially when the peer gateway was hosted on a cloud platform using shared public IP addresses. In such cases, the firewall would block incoming VPN requests if the peer’s IP address had been flagged as malicious by the IP reputation service—even if the peer device was actually safe and trusted.

Why It Happened:

  • Many cloud-hosted environments reuse IP addresses, some of which may have been blacklisted due to past abuse.
  • If a peer gateway tries to initiate a VPN connection using one of these flagged IPs, the Zyxel firewall may block it.
  • Prior to firmware 1.35, the only workaround was to disable IP reputation entirely, which undermined overall network security.

Understanding “Local In” vs. “Local Out”

To grasp how this enhancement works, it's important to understand the firewall’s traffic handling:

  • Local In: Traffic entering the firewall (e.g., peer device initiating a VPN).
  • Local Out: Traffic originating from the firewall (e.g., firewall initiating a VPN).

Previously, IP reputation allow/block lists only affected general policy control—not local traffic rules. This meant the firewall would block even legitimate VPN requests if the source IP was on the malicious list.

What’s New in Firmware 1.35?

The enhancement now allows IP Reputation allow list entries to affect Local In rules. This means:

  • You can manually whitelist a known-safe IP address, even if it is flagged as malicious.
  • That IP address will be automatically added to the Local In policy, allowing your firewall to accept VPN tunnel initiation from that peer device.

Key Limitation

This fix only works if the peer gateway is the initiator of the VPN tunnel.

  • Peer Initiator + Whitelisted IP → VPN tunnel will succeed
  • Firewall Initiator + Malicious Peer IP → VPN tunnel will still fail due to Local Out policy not including the allow list

This limitation is currently known and may be addressed in a future firmware update by extending allow list control to Local Out policies as well.

Where to Configure

You can find the configuration under:

  • Configuration > Security Service > Reputation Filter > IP Reputation
    • Manually add entries to the Allow List
  • Secureporter Integration (optional):
    • If Secureporter detects a malicious IP that should be trusted, it can be configured to automatically add that IP to the firewall's allow list.

You’ll also find a Secureporter Allow List entry within the firewall settings, reflecting IPs added through Secureporter.

With this enhancement, Zyxel firewalls gain more flexibility in real-world deployments—especially in cloud environments where IP reputation may not always reflect current behavior. While the current solution only applies to inbound VPN connections, it's a significant step forward in improving compatibility without compromising security.