Reputation filter not working?
All Replies
-
OK, thanks.
It would be a good idea to add this information to the documentation.
Just a suggestion for future improvement: add an option that blocks outgoing traffic anyway and/or enhance external block list to add a category (e. g. Botnets).
0 -
Thanks your suggestion. We will evaluate that.
Thank you
0 -
Still looking for a solution - for me, it's almost as if the service was disabled as of 4/22. Same for the other related "Reputation" features (URL/DNS)
I have confirmed that inbound traffic from addresses in the block lists is being passed through and with nothing showing in the logs. I was previously able to see items in the (IP Reputation) log showing the traffic being blocked… but now nothing!
0 -
Maybe this is a monitoring issue. Device monitoring shows block counts 0/2/0 for reputation filter (IP/DNS/URL; scanned: 39180/19531/9753). However if I look into the logs forwarded to Splunk I see block counts 0/2/4821!
Examples:
May 3 07:25:49 xxxxxxxxxxxx May 3 07:25:49 2023 xxxxxxxxxxxx src="192.168.10.8:50034" dst="192.168.10.1:53" msg="covidid.com:Malicious Sites" note="DNS REDIRECT" user="unknown" devID="xxxxxxxxxxxx" cat="DNS Filter"
May 3 20:00:02 xxxxxxxxxxxx May 3 20:00:02 2023 xxxxxxxxxxxx src="192.168.10.21:52662" dst="142.250.185.198:443" msg="fls.doubleclick.net:Block List, Rule_name=BLOCK_AD_STATISTICS, SSI=N" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="URL Threat Filter"
0 -
I don't think so - I see absolutely nothing logged (IP Reputation)for traffic from "blocked" addresses (or any external address for that matter), and I can still access resources from them as well, which suggests to me that it is not working.
0 -
Hi @SecuRing ,
I am sorry that I have to correct my statement:
Forward logs should not appear.
1)
FORWARD is correct because no "Botnets"May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="
Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"But the issue cannot be reproduced in my side. Forward logs doesn't exist when I accessed 37.48.65.155. Could you send the diag-info by private message ?
Hi @SDWinkelman ,
Could you share your diag-info by private ?
Thank you
0 -
diag-info sent.
0
Zyxel Employee
Freshman Member
Categories
- All Categories
- 164 Beta Program
- 1.7K Nebula
- 86 Nebula Ideas
- 62 Nebula Status and Incidents
- 4.7K Security
- 236 Security Ideas
- 1.1K Switch
- 50 Switch Ideas
- 907 WirelessLAN
- 27 WLAN Ideas
- 5.3K Consumer Product
- 172 Service & License
- 294 News and Release
- 65 Security Advisories
- 14 Education Center
- 911 FAQ
- 399 Nebula FAQ
- 249 Security FAQ
- 90 Switch FAQ
- 100 WirelessLAN FAQ
- 18 Consumer Product FAQ
- 55 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 68 About Community
- 51 Security Highlight
