ATP500 log (IKE and failed login)

xkp68
xkp68 Posts: 26  Freshman Member
First Comment Second Anniversary
Hi,
recently i was checking the log of my ATP500 and i have seen a sequence of rows concerning some events of the IKE user. As i do not have any user named IKE, i would like to know what these logs are.
(see image below)
At the same time i have seen a sequence of failed login attempt, all from the same ip address.
Of course it is a malicious attack, but i wonder why the event repeat so often (more the one time per second) and so many times, i thought the zyxel would "black list" the ip and ignore this IP after a few attempts. Why this is not happening? Thanks in advance.
Filippo


All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    The IKE means category name of logs, not a user name. 
    Additionally, “NO_PROPOSAL_CHOSEN” log message means VPN phase 1 or phase 2 is mismatched lead to the VPN connection can’t be established, need to check the VPN encryption and authentication algorithms if are the same on both sites.

    In your case, Zyxel device won’t block a specific IP address actively.

    Unless the UTM feature detects it’s an attack and will block this session.

    You can set a security policy to block this IP address, please refer to the below:

    Create an IP address object.



    Set a security policy to block sessions from this IP address.



    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

  • xkp68
    xkp68 Posts: 26  Freshman Member
    First Comment Second Anniversary
    thanks for the reply.
    1)My main concern was about the fact i have no users outside my country and i see this "info" logs from USA (i m not in the USA). As the logs are in the info category it is not clear to me if there is an intrusion or not. Moreover my only VPN was a SSL VPN and till now i have never seen any IKE log message. 

    Of course the IPs of the the malicius attack is the same for a few minutes, then it changes so i cannot add a policy every time. by hand.
    Does my ATP500 have the UTM Feature?
    It is normal to have all those malicius attack on the firewall? Consider that ftp, ssh is blocked toward the zyxel device, as well as it is possible to manage the only from inside my LAN and i have MFA enabled for its administration. any other thing i can do to prevent these attacks?
    Thanks.


  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,230  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @xkp68

    (1).

    It seems that there is USA IP try to establish IPsec VPN tunnel to your ATP500, but it failed due to “No_Proposal_Chosen”. If you have concern about this, you can block this IP.

    (2).

    ATP500 has UTM features and you can enable them.

    To avoid intrusion attacks, you can enable ADP and IDP features on you ATP500.


    You could refer to this introduction:

    https://www.zyxel.com/us/en/products_services/ATP-Firewall-ZyWALL-ATP500/

    https://www.zyxel.com/us/en/products_services/ATP-Firewall-ZyWALL-ATP500/license-and-spec

     



    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

Security Highlight