Firewall logs - Default Rule
Using a USG 1000
Created firewall rule to block a range of addresses in the Netherlands
188.8.131.52 - 184.108.40.206
The rule is configured to deny with a log alert (red text), any connection attempt from these addresses.
The rule is the first in the my firewall (Priority 1)
However the log is showing the connection attempts from this address range is being blocked by the MATCH Default Rule DROP.
This is not what I expect.
The Priority 1 firewall rule should be displayed in the log as the "priority rule 1",
rule which blocks the connection attempt.
The connection attempt should not be allowed to pass through my firewall rules table, all the way to the Defaul Rule DROP, since it is the first rule.
I have defined about 20 groups of address ranges in my hacker-reject list.
Is there a bug in the firewall in this regard?
Is there a limit to the number of addresses which can be blocked using ip ranges?
We have 12 of these USG 1000 devices. Hoping I have presented my question
So is this from WAN to zywall or from LAN to WAN?
I'm guessing from WAN is the range set for source IP with destination any?
can you post the rule
PeterUK,Thanks for taking a look.
I was thinking this was a new model but turns out to be no longer updated does it have the newest firmware on it?
They have the newest firmware.We'll try some re-configuring, maybe break the deny rules into smaller sets of ip addresses.Standard duty for a firewall of this class. A bit surprised.Really appreciate the dialog.Bret0
Taking for granted that your "hackers-block" source IPs are located in the internet, means coming from WAN zone only. Did you tried to change the source zone from "any" to "WAN"? Maybe this makes a difference for USG?But normally your setting should work.0
Hello mm_bret,As your firewall rule, from any to any. The destination "any" does not includes Zywall itself.It means the hacker wants to access Zywall itself instead of the local network behind Zywall, so it won't match your firewall rule. You may add a rule that deny from any to Zywall.Thank you.
I have a similar issue with a new USGFLEX 200. Only recently, did I notice that all Security Policy Rules IGNORE 'Object Groups' if they are set as the Source IP within the Rule. Which is what mm_bret described above, "I have defined about 20 groups of address ranges in my hacker-reject list." and his spam traffic is ignoring the Group. This is a bug.ZYXEL FIRMWARE BUG: By putting multiple Address Objects or Ranges into a Group, and setting the Source IP = the Group within the Rule, the traffic can bypass it as if it was the Rule was set to ANY Source IP. Regardless if you set your Rule as ANY to ANY or WAN to LAN. It ignores the Source IP Group as its rule filter. You can verify this by making the Source IP only one IP address, not a group. Then check your logs for that Priority. No traffic will pass through, but if you set the Source back to the Group, the traffic incorrectly passes through.THERE SEEMS TO BE A BUG INTRODUCED WITH A RECENT FIRMWARE UPDATE. ZYXEL NEEDS TO INVESTIGATE THIS IMMEDIATELY.Opposite of mm_bret, I do a similar Rule but with Approved IP Addresses I want to pass through. So any WAN IP Address that is not in my group called 'All Approved WANs' will be blocked. See my pictures, the traffic ignores the Group called 'All Approved WANs' which is unexpected behavior.Zyxel needs to investigate this and release a firmware update.0
We have App Patrol disabled.I've played with this further:1. Limiting the firewall rule to WAN as the source2. Replacing the group of hacker ranges to a single range of ip addresses.It doesn't work.Also doesn't seem like we should be doing the experimenting.Regardless of age, this device should identify these address ranges and allow/deny/rejectas the rule dictates.What does the Zyxel (current or older) generation Zyxel equipment say about this?I'm going to check this functionality on some of our Cisco stuff. HmmmBret0
In response to Zyxel_JamesWe have a rule which disables https to the Zyxel from WAN.0
- 8.5K All Categories
- 1.6K Nebula
- 72 Nebula Ideas
- 57 Nebula Status and Incidents
- 4.5K Security
- 227 Security Ideas
- 983 Switch
- 46 Switch Ideas
- 881 WirelessLAN
- 24 WLAN Ideas
- 5.1K Consumer Product
- 158 Service & License
- 280 News and Release
- 99 Success Stories
- 61 Security Advisories
- 13 Education Center
- 581 FAQ
- 263 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 75 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 62 About Community
- 46 Security Highlight