IPSec NATT (udp4500) ADP false udp filtered distributed portscan Action
ATP500 fw v5.35
I have logs of ADP:
from WAN to Any, [type:Scan-Detection(49)] udp filtered distributed portscan Action:Drop Packet
Source: {vpn.client.IP}:4500
Destination: {wan.IP}:4500
That logs are with every VPN access connection (L2TP over IPSec with PSK - Windows native client)
I have already changed sensitivity of ADP scan detection to "low" ((portscan) UDP Portscan)
I have added allow list rule for IPSec NATT udp port (udp4500)
How to get exclude rule of ADP to natt udp port - I don't want to disable the "(portscan) UDP Portscan" rule. Or, why zyxel-atp identify vpn-connection as "distributed portscan"??
All Replies
-
I wrote this in the wrong category - it should be in the Security category - someone could change it
0 -
Hi @jurusam,
You can configure allow list rules to let certain IP addresses or services to bypass ADP flood detection.See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
I already wrote about it - I have enabled that feature - - it doesn' work
…todays logs:
0 -
Test with any service
does the problem happen when client does a speed test?0 -
Hi @jurusam,
In the log, the traffic hits UDP portscan. Try to inactivate "(portscan) UDP Portscan" in ADP profile > Scan Detection and monitor if VPN connection is working. Then give me the remote access information of this ATP500 in private message. We will check if it is false positive.See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
VPN connection is stable (I think) - users didn't say that have problem.
Today I have 4 vpn clients connected (Windows, Mac and Android) - working with RDP or http browsing of local web. With each of this connection there is log warning of "udp port scan" with action "access block".
I tried with authentication of local ATP accounts or Win AD accounts - same thing
0 -
If this "access block" would cause problems with the connection - I would disable the rule. But now there is only warning in ATP device. I prefer to enable this rule to protect against other true port scans
0 -
The same thing happens to me with my flex500, I have to disable ADP for the ipsec vpn clients to work.
In my case there are 4 clients that connect from the same office with their laptops using the zyxel IPSec VPN client.
I have done the option described by jurusam and it does not solve.0 -
Hi @vsdanie ,
Greeting Forum, We will have Allow List for ADP Port scan to avoid preventing known IPSec UDP packets.
The feature is upcoming next FCS firmware April.
Thank you
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight