IP Reputation Whitelist not working
Hi, i have a strange behaviour in the IP Reputation Filter.
Some IP-Adresses are being blocked although they are in the whitelist of the IP Reputation. I added the IP Adress in the whitelist under Security Service->Reputation Filter->IP Reputation->Whitelist. When i open a Website with the specific IP Adress, then the site is still being blocked. In the Log stands: "Malicious connection:Phishing". If an IP Adress is in the category Botnets or Phishing, then the Whitelist isn't working. The other categories are working with the whitelist.
The "Check Whitelist"-Checkbox is checked.
Why is the ip still blocked - although it is on the whitelist?
Thanks in advance
Rudolf
Accepted Solution
-
Hi @neoforma,
The firmware is sent to you in private message.
5
Zyxel Employee
All Replies
-
Hi @neoforma,
Can you share the following information with us?
- The websites which are blocked
- The IP address added to whitelist
- Signature version of IP Reputation
- Firmware version of ATP
0 -
For example: https://www.screenpresso.com/ (a screen recording tool).
The IP of this site is: 213.186.33.97
Firmware: V4.35(ABFU.1)
IP Signature Version: 1.0.0.20191209.0
This is the latest blocked Website which can not be whitelisted.
Additionally it would be great if there would be a comment field right beside the ip adress in the white and blacklist, so that i can add an info to the ip.
Another question: does the white/blacklist work, when i add an ip adress with a subnet (example: 1.1.1.0/24)?
Thanks!
0 -
Hi @neoforma,
Go to MONITOR > Log > View Log > Category and select IP Reputation.
Check if the logs for destination 213.186.33.97 are ACCESS FORWARD.
If the logs are ACCESS FORWARD when Check White List is enabled, it means the website is not blocked by IP Reputation.
In this example, the log is ACCESS BLOCK after white-list is disabled. After white-list is enabled, the log is ACCESS FORWARD.
You can check the network topology.
- Is there any device between ISP and ATP500?
- If ATP500 is connected to ISP directly (ISP----(wan)ATP500(lan)---PC), are you able to access the website when IP Reputation > IP Bocking is disabled?
Check if the website is blocked by other security services
- Go to MONITOR > Log > View Log and check if there is any ACCESS BLOCK log for destination IP 213.186.33.97.
0 -
Hi @neoforma,
About "the comment field right beside the ip address in the white and blacklist", thanks for your suggestion and we will move the request to the ideas section.
About the white/blacklist, you can add IP address with a subnet.
0 -
Thank you for the detailed answer. Unfortunately this doesn't work at my ATP500. I have nothing between modem and ATP.
But there is still Access Block in the log and i can't open the website.
i don't know why this isn't working. if i disable IP Blocking, i can open the website without any issues.
0 -
Additionally i can see, that the Blacklisting also doesn't work. i added a subnet to blacklist, but i still get spam from an address in this blacklisted subnet.
but i received the mail from 160.20.12.165
Have i made something wrong with the subnet entry in the blacklist?
Thanks!
0 -
Hi @neoforma,
We need to check the symptom on your ATP remotely to find out the root cause.
I will contact you in private for more information.
0 -
Hi @neoforma,
The firmware is sent to you in private message.
5
Categories
- All Categories
- 388 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 914 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 330 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 875 Nebula FAQ
- 414 Security FAQ
- 220 Switch FAQ
- 193 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 61 Security Highlight
