IP Reputation Whitelist not working

neoforma

Hi, i have a strange behaviour in the IP Reputation Filter.

Some IP-Adresses are being blocked although they are in the whitelist of the IP Reputation. I added the IP Adress in the whitelist under Security Service->Reputation Filter->IP Reputation->Whitelist. When i open a Website with the specific IP Adress, then the site is still being blocked. In the Log stands: "Malicious connection:Phishing". If an IP Adress is in the category Botnets or Phishing, then the Whitelist isn't working. The other categories are working with the whitelist.

The "Check Whitelist"-Checkbox is checked.

Why is the ip still blocked - although it is on the whitelist?

Thanks in advance

Rudolf

Zyxel_Emily

Hi @neoforma,

The firmware is sent to you in private message.

Zyxel_Emily

Hi @neoforma,

Can you share the following information with us?

- The websites which are blocked

- The IP address added to whitelist

- Signature version of IP Reputation

- Firmware version of ATP

neoforma

For example: https://www.screenpresso.com/ (a screen recording tool).

The IP of this site is: 213.186.33.97

Firmware: V4.35(ABFU.1)

IP Signature Version: 1.0.0.20191209.0

This is the latest blocked Website which can not be whitelisted.

Additionally it would be great if there would be a comment field right beside the ip adress in the white and blacklist, so that i can add an info to the ip.

Another question: does the white/blacklist work, when i add an ip adress with a subnet (example: 1.1.1.0/24)?

Thanks!

Zyxel_Emily

Hi @neoforma,

Go to MONITOR > Log > View Log > Category and select IP Reputation.

Check if the logs for destination 213.186.33.97 are ACCESS FORWARD.

If the logs are ACCESS FORWARD when Check White List is enabled, it means the website is not blocked by IP Reputation.

In this example, the log is ACCESS BLOCK after white-list is disabled. After white-list is enabled, the log is ACCESS FORWARD.

You can check the network topology.

- Is there any device between ISP and ATP500?

- If ATP500 is connected to ISP directly (ISP----(wan)ATP500(lan)---PC), are you able to access the website when IP Reputation > IP Bocking is disabled?

Check if the website is blocked by other security services

- Go to MONITOR > Log > View Log and check if there is any ACCESS BLOCK log for destination IP 213.186.33.97.

Zyxel_Emily

Hi @neoforma,

About "the comment field right beside the ip address in the white and blacklist", thanks for your suggestion and we will move the request to the ideas section.

About the white/blacklist, you can add IP address with a subnet.

neoforma

Thank you for the detailed answer. Unfortunately this doesn't work at my ATP500. I have nothing between modem and ATP.

But there is still Access Block in the log and i can't open the website.

i don't know why this isn't working. if i disable IP Blocking, i can open the website without any issues.

neoforma

Additionally i can see, that the Blacklisting also doesn't work. i added a subnet to blacklist, but i still get spam from an address in this blacklisted subnet.

but i received the mail from 160.20.12.165

Have i made something wrong with the subnet entry in the blacklist?

Thanks!

Zyxel_Emily

Hi @neoforma,

We need to check the symptom on your ATP remotely to find out the root cause.

I will contact you in private for more information.

Zyxel_Emily

Hi @neoforma,

The firmware is sent to you in private message.