Order of processing Question (USG flex 500)

Emerald
Emerald Posts: 36
First Comment Fourth Anniversary
 Freshman Member
Hi,
From a course way back with the zywall 50 i thinking that Firewall happens first then the NAT.
Ie if your port translating 444 to 443 you firewall 444 because firewall processes first then nat.

Is this true and where does IDP come in ?

reason i ask :
I have a geo block on all Russian IP addresses, but when i look in IPS logs i see
"SSI:N [type:Sig(130014)] Remote Desktop Protocol brute force attempt"
from a Russian IP address.
I was not expecting to see this as i have a geo block on russia quite high up.
so does IPS happen before my geographic deny rule?

All Replies

  • mMontana
    mMontana Posts: 1,248
    50 Answers 1000 Comments Friend Collector Fourth Anniversary
     Guru Member
    Take a look on Maintenance -> Packet Flow Explore.
    Maybe the pictures in routing status and SNAT status could be what you're looking for.
  • Emerald
    Emerald Posts: 36
    First Comment Fourth Anniversary
     Freshman Member
    HI thankyou yes i see this but it does not mention IPS in the chain?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,296
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Zyxel Employee
    Hi @Emerald,
    Please help to check if the IP is exactly from Russia in GeoIP database.
    You can look up at "Object  > Address/Geo IP > GeoIP".

Security Highlight