Reputation Filter blocks GMail?

itxnc
itxnc Posts: 98  Ally Member
First Comment Friend Collector Sixth Anniversary
edited April 2021 in Security

We're starting to roll out ATP's to larger SMBs with 400+ Mbps Internet. Have really enjoyed setting them up and watching how they perform.

That said - the IP Reputation Phishing filter is pretty rough. We turned it on and saw tons of logs (Blocked Phishing) from desktops. Turns out the blocked IPs were Google IPs related to GMail and clients couldn't login properly (or render the full GMail interface). Yes - the IPs in question were listed on Maltiverse for Phishing, but seems like GMail's IP blocks would be pretty much whitelisted. So we turned off the Phishing & Anonymous Proxies check for now and we'll see how things progress.

Like SSL Inspection - we'll build up an exclusion list and see if we can tune them to allow these useful features to be enabled fully...

Comments

  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary

    That said - if you aren't using Maltiverse to check IPs - really quick way to get access about IP addresses and some known threats. You can even cut/paste entire log file snippets into their threat analyzer and get quick run downs of the IPs in question:

    This was one of the IPs getting blocked repeatedly by the reputation filter - that belongs to Google/GMail.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @itxnc,

    The malicious IP 172.217.13.238 is submitted to cloud service white list for analysis.

    It may take 3~5 days to check this IP.

    After the reported malicious IP is verified, the IP 172.217.13.238 will be removed in the next signature release of IP reputation.

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • travisb
    travisb Posts: 10  Freshman Member
    First Comment Second Anniversary

    We are seeing the same thing with photos.google.com, news.google.com all blocked by IP Reputation. How do we submit the ips fro review?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @travisb,

    We are working on reviewing the IP addresses of Google services and we will add them to white list in the upcoming signature release.

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • BSharp
    BSharp Posts: 6  Freshman Member
    First Comment Friend Collector

    We also had this issue today, reputation filter blocking pretty much all Google services.. docs, calendar, drive etc... of course all different IP addresses.

    Any update on when we might get the new signature release?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @itxnc,

    The IP 172.217.13.238 is added to white list and doesn't belong to phishing category.

    Update IP Reputation signature to the latest version and remove this IP from the white list.


    @travisb , @BSharp,

    For all other Google services, the new signature release which enhances this part will be available by Dec. 30th. 

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • travisb
    travisb Posts: 10  Freshman Member
    First Comment Second Anniversary

    IP Reputation Filter still blocking all google services (news,photos,drive,etc) using the following signatures. Tech support recommends unchecking phishing protection until issue is resolved.

    IP Reputation

    1.0.0.20200205.0

    2020-02-04 10:34:18 (UTC-08:00)

    2020-02-05 03:48:01

  • Zyxel_Vic
    Zyxel_Vic Posts: 282  Zyxel Employee
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @travisb

    Would you share the IP address list that was blocked to us? We will compare with the cloud database and evaluate if we're going to add them into our signature database


    Thank you.

  • travisb
    travisb Posts: 10  Freshman Member
    First Comment Second Anniversary

    172.217.14.238

    172.217.3.206

Security Highlight