IPSec NATT (udp4500) ADP false udp filtered distributed portscan Action

jurusam
jurusam Posts: 6
First Comment
edited March 2023 in Security

ATP500 fw v5.35

I have logs of ADP:

from WAN to Any, [type:Scan-Detection(49)] udp filtered distributed portscan Action:Drop Packet
Source: {vpn.client.IP}:4500
Destination: {wan.IP}:4500

That logs are with every VPN access connection (L2TP over IPSec with PSK - Windows native client)

I have already changed sensitivity of ADP scan detection to "low" ((portscan) UDP Portscan)
I have added allow list rule for IPSec NATT udp port (udp4500)

How to get exclude rule of ADP to natt udp port - I don't want to disable the "(portscan) UDP Portscan" rule. Or, why zyxel-atp identify vpn-connection as "distributed portscan"??

All Replies

  • jurusam
    jurusam Posts: 6
    First Comment

    I wrote this in the wrong category - it should be in the Security category - someone could change it

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @jurusam,
    You can configure allow list rules to let certain IP addresses or services to bypass ADP flood detection.

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • jurusam
    jurusam Posts: 6
    First Comment

    I already wrote about it - I have enabled that feature - - it doesn' work

    …todays logs:

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 2023

    Test with any service
    does the problem happen when client does a speed test?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @jurusam,
    In the log, the traffic hits UDP portscan. Try to inactivate "(portscan) UDP Portscan" in ADP profile > Scan Detection and monitor if VPN connection is working. Then give me the remote access information of this ATP500 in private message. We will check if it is false positive.

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • jurusam
    jurusam Posts: 6
    First Comment

    VPN connection is stable (I think) - users didn't say that have problem.

    Today I have 4 vpn clients connected (Windows, Mac and Android) - working with RDP or http browsing of local web. With each of this connection there is log warning of "udp port scan" with action "access block".

    I tried with authentication of local ATP accounts or Win AD accounts - same thing

  • jurusam
    jurusam Posts: 6
    First Comment

    If this "access block" would cause problems with the connection - I would disable the rule. But now there is only warning in ATP device. I prefer to enable this rule to protect against other true port scans

  • vsdanie
    vsdanie Posts: 1
    First Comment First Anniversary

    The same thing happens to me with my flex500, I have to disable ADP for the ipsec vpn clients to work.
    In my case there are 4 clients that connect from the same office with their laptops using the zyxel IPSec VPN client.
    I have done the option described by jurusam and it does not solve.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 888  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @vsdanie ,

    Greeting Forum, We will have Allow List for ADP Port scan to avoid preventing known IPSec UDP packets.

    The feature is upcoming next FCS firmware April.

    Thank you

Security Highlight