vpn50 sessions limit- suspicious connections

Options
ktv
ktv Posts: 5
First Comment
edited April 2021 in Security
Hi,
I dont know zyxel routers too much, so please help me - is it normal behevior that after configuriing reporting on Zyxel VPN50 Device (latest fw 4.62) im geting a lot of messages like that below.
I know that I can change or disable that session limit (per device or per IP), but I'm worry that I cannot trace those IPs source (f.e.185.151.30.162) in Session Monitor.
Is there a way to get a more datailned log or realtime info about that connections?
And what is the best way to make a blacklist  and put there suspicious IP addresses to block any connections from them?

No.  Date/Time           Source                 Destination           
     Priority            Category               Note                  
     Message
1    2021-02-03 14:19:23                                                                                 
     notice              system                                                                 
     Sending event/alert log to mail server has succeeded.
2    2021-02-03 14:19:23 188.44.124.6                            my_WAN_IP                            
     warn                sessions-limit         ACCESS BLOCK                                    
     Maximum sessions per host (1000) was exceeded. [count=255]
3    2021-02-03 14:19:23 185.151.30.162                          my_WAN_IP                            
warn sessions-limit ACCESS BLOCK Maximum sessions per host (1000) was exceeded. [count=255]

All Replies

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Maybe you can try this CLI to track device connection status.=)
    Router> debug system show  conntrack | match "185.151.30.162"

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    (1). You can issue this command to trace real-time connection of IP “185.151.30.162”
    Router> debug system show  conntrack | match "185.151.30.162"

    (2). If you would like to reject any traffic from a Block IP group.
    You can add Block IP Group and security policy.

    First, add block IP address objects and put them into a group.


    Second, add a security policy.
    BTW, you may set log alert if those block IPs connect to your VPN50 alert log will be generated.


Security Highlight