Nebula 19.30 - Misalignment in firewall traffic statistics

GiuseppeR

Hello everyone,

after the update 19.30 I see an issue regarding traffic widgets for firewall.

If you look into this:

You miss almost 22 gigs of traffic:

Those 21.5 gigs are related to a backup done by a NAS.

If the Nebula is unable to recognize a specific APP I expect to see that traffic listed as "Unknown". Here we have no trace.

Zyxel_Barry

Hi @GiuseppeR,

It appears you're observing a discrepancy in firewall traffic statistics within Nebula after the 19.30 update, specifically regarding a large volume of NAS backup traffic not being accounted for in the "Firewall network applications" widget, even though it appears in "Firewall clients by usage". This suggests the traffic might not be categorized or recognized as an application by the firewall's DPI engine.

Here are some initial steps and information that would be helpful for troubleshooting:

• Review Firewall Security Policies: Ensure there are no specific firewall rules that might be bypassing application control or logging for this NAS traffic. Sometimes, traffic matching an "Allow" rule without application patrol specified might not be deep-packet inspected for application identification.

• Check SecuReporter for Detailed Logs: While the Nebula dashboard provides an overview, SecuReporter often offers more granular detail.

  • Navigate to Site-wide > Configure > Site Settings > Reporting and ensure SecuReporter is enabled.
  • Access SecuReporter via the hyperlink in Site Settings and check Search > Logs & Activity for traffic logs related to the NAS. This might reveal if the traffic is being logged but not categorized, or if it's falling under an unexpected category.
  • Also ensure that Traffic Log and Interface Statistics are enabled under Configuration > Mgmt. & Analytics > SecuReporter > Categories > Network to ensure comprehensive logging.

• Verify Nebula Application Visibility: The "Firewall network applications" widget relies on the firewall's ability to identify applications. If the NAS backup traffic uses a less common or proprietary protocol, or if it's encrypted and not identifiable through typical DPI signatures, it might not appear as a distinct application.

To further investigate this issue, please provide the following:

• Device Model and Firmware Version: The exact model of your Zyxel firewall and its current firmware version.
• Screenshots: If possible, screenshots of the relevant firewall rules related to the NAS.
• Enable Zyxel Support Access: Please enable Zyxel Support Access for your organization via Help > Support Request in your Nebula console. This will allow our support team to directly view your cloud environment configuration, which can significantly shorten troubleshooting time. Please also provide the Organization Name and Site Name.

GiuseppeR

Please consider that on other sites (with H series…) I see "Unknown" category:

That "Unknown" category is the traffic made via HyperBackup by Synology, like it should be seen in the widget above

Zyxel_Tina

Hi @GiuseppeR,

To help us narrow the issue down, could you please confirm if the affected site's client NAS is a Synology model? Also, what protocol is the backup job using?

If the issue still persists and can be seen on the widgets (before the data rolls off), please enable Zyxel Support Access and share the org/site name with us.

GiuseppeR

Hi @Zyxel_Tina

yes it is still there, the Synology NAS uses HyperBackup as protocol to have a backup managing deduplication.

As you can see here:

There is no trace about this backup:

As you can check I lost trace about those 553 MB amount of traffic via firewall, so it could be possible to have lost something else too. This is an issue if you would like to avoid data exfiltration, for example.

You have a PM with unmasked infos.