100H - block external IP address ... not all IP's are blocked !

Options
SiegfriedH
SiegfriedH Posts: 11 image  Freshman Member
First Comment
in USG FLEX H Series

Hello All,
I blocked several external IP adresses and found that most of them are not really blocked via "external block list". Firmware is "V1.36(ABXF.0)".

Example IP 209.38.78.160:
IP address blocked via "external block list" "IP reputation" - IP-addess not blocked - in Log / events under note as "ACCESS FORWARD".

IP address blocked "object" "address" - there I make an entry type HOST with IP 209.38.78.160, than under "security policy" and "policy control" a GeoIP blocking from "WAN to any" - IP-addess is perfect blocked - in Log / events under note as "ACCESS BLOCK".

Blocking IP's via a list is very comfortablem via a certain rule in GeoIP a lot of work.
Whats wrong? Or, what I'm doing wrong? What's the best - and most efficient way - to block external IP's.

all the Best from Austria, and TNX for help
Siegfried

Best Answers

  • PeterUK
    PeterUK Posts: 4,328 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    Answer ✓

    Testing here it does seem like the external block list does not work either for destination or source IP blocking

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,337 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @SiegfriedH

    Thanks for the information. This is an issue for the External Block List > IP Reputation when you also have a security policy that allow the traffic from WAN to any/ZyWALL/etc. In my lab, I can replicate this issue when I have a policy that allow this traffic flow. And here is the result.

    image.png

    However, if you set an IP address in IP Reputation > Block List,

    image.png

    the IP Reputation will block this traffic flow even the security policy allows.

    image.png

    We will fix this issue.

    Hi @PeterUK

    Yes, the IP Reputation filter needs to be enabled, since this is the main function. The external block list is an extra database for the IP Reputation filter/DNS/URL threat filter.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 4,337 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @SiegfriedH

    After checking with our team, the external block list IP reputation does block the traffic from LAN to WAN and from WAN to LAN. It does not block only the traffic from WAN to ZyWALL.

    Result from WAN to LAN:

    image.png

    Since this is the current spec design, we created an idea post for this. Our product team will monitor the idea post to evaluate it.

    USG FLEX H - external block list also blocks traffic from WAN to ZyWALL — Zyxel Community

    Zyxel Melen


«1

All Replies

  • PeterUK
    PeterUK Posts: 4,328 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    Answer ✓

    Testing here it does seem like the external block list does not work either for destination or source IP blocking

  • SiegfriedH
    SiegfriedH Posts: 11 image  Freshman Member
    First Comment

    Thanks for fast answer

  • SiegfriedH
    SiegfriedH Posts: 11 image  Freshman Member
    First Comment

    Now i made also a few more tests and you are right …
    The external block list feature isn't working correct.
    waiting for a fix …

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,337 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @SiegfriedH

    The External Block List (EBL) is a feature that allows the firewall to import a text file hosted on an external web server. There for, may I confirm your configuration here?

    1. Did you setup a web server with the txt file for all access?
    2. Is the blocked IP in this txt file?
    3. Did you sync the signature with the external block list server?
    4. Could you share the txt file and your setting with us?
    5. Could you share the logs of the issue?

    Additionally, I did a local test and get this result.

    image.png
    Zyxel Melen


  • SiegfriedH
    SiegfriedH Posts: 11 image  Freshman Member
    First Comment

    Hello Melen,

    1. Did you setup a web server with the txt file for all access?

    yes, see screenshot

    2025-12-22 10_04_17-Mozilla Firefox.jpg
    1. Is the blocked IP in this txt file?

    yes

    1. Did you sync the signature with the external block list server?

    see screenshot - is this correct?

    1. Could you share the txt file and your setting with us?

    IP file "blocklist_sigi.ipset" is also here as rar file

    blocklist_sigi.rar
    1. Could you share the logs of the issue?

    i didn't log this - sorry

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,337 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @SiegfriedH

    Thanks for the update.

    May I know your test path is from LAN to WAN or? This could help us to identify this issue.

    Zyxel Melen


  • SiegfriedH
    SiegfriedH Posts: 11 image  Freshman Member
    First Comment

    I hope I understand, here are the screenshots.

    2025-12-22 10_15_32-Mozilla Firefox.jpg 2025-12-22 10_15_57-Mozilla Firefox.jpg 2025-12-22 10_16_31-Mozilla Firefox.jpg 2025-12-22 10_19_16-Mozilla Firefox.jpg 2025-12-22 10_20_20-Mozilla Firefox.jpg 2025-12-22 10_21_01-Mozilla Firefox.jpg
  • SiegfriedH
    SiegfriedH Posts: 11 image  Freshman Member
    First Comment

    in both direction are the same IP's blocked in "GeoIP_blocking_in" an "GeoIP_blocking_out".

  • PeterUK
    PeterUK Posts: 4,328 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited December 2025

    Melen do you need to enable IP Reputation filter when you enable External Block List or can the two work independently?

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,337 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @SiegfriedH

    Thanks for the information. This is an issue for the External Block List > IP Reputation when you also have a security policy that allow the traffic from WAN to any/ZyWALL/etc. In my lab, I can replicate this issue when I have a policy that allow this traffic flow. And here is the result.

    image.png

    However, if you set an IP address in IP Reputation > Block List,

    image.png

    the IP Reputation will block this traffic flow even the security policy allows.

    image.png

    We will fix this issue.

    Hi @PeterUK

    Yes, the IP Reputation filter needs to be enabled, since this is the main function. The external block list is an extra database for the IP Reputation filter/DNS/URL threat filter.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)