Reputation filter not working?
All Replies
-
Hi @SecuRing ,
If the types of reputation include "Botnets", the repurtaion filter will block outgoing/incoming traffic.
If the types of reputation doesn't include "Botnets", it only block incoming traffic.
For example:
1)FORWARD is correct because no "Botnets"
May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"
2)BLOCK is correct because there is "Botnets"
May 1 08:25:06 xxxxxxxx May 1 08:25:06 2023 xxxxxx src="192.168.10.21:25121" dst="81.169.145.94:443" msg="Malicious connection:Exploits,BotNets,Phishing" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="IP Reputation"
Thank you
0 -
OK, thanks.
It would be a good idea to add this information to the documentation.
Just a suggestion for future improvement: add an option that blocks outgoing traffic anyway and/or enhance external block list to add a category (e. g. Botnets).
0 -
Thanks your suggestion. We will evaluate that.
Thank you
0 -
Still looking for a solution - for me, it's almost as if the service was disabled as of 4/22. Same for the other related "Reputation" features (URL/DNS)
I have confirmed that inbound traffic from addresses in the block lists is being passed through and with nothing showing in the logs. I was previously able to see items in the (IP Reputation) log showing the traffic being blocked… but now nothing!
0 -
Maybe this is a monitoring issue. Device monitoring shows block counts 0/2/0 for reputation filter (IP/DNS/URL; scanned: 39180/19531/9753). However if I look into the logs forwarded to Splunk I see block counts 0/2/4821!
Examples:
May 3 07:25:49 xxxxxxxxxxxx May 3 07:25:49 2023 xxxxxxxxxxxx src="192.168.10.8:50034" dst="192.168.10.1:53" msg="covidid.com:Malicious Sites" note="DNS REDIRECT" user="unknown" devID="xxxxxxxxxxxx" cat="DNS Filter"
May 3 20:00:02 xxxxxxxxxxxx May 3 20:00:02 2023 xxxxxxxxxxxx src="192.168.10.21:52662" dst="142.250.185.198:443" msg="fls.doubleclick.net:Block List, Rule_name=BLOCK_AD_STATISTICS, SSI=N" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="URL Threat Filter"
0 -
I don't think so - I see absolutely nothing logged (IP Reputation)for traffic from "blocked" addresses (or any external address for that matter), and I can still access resources from them as well, which suggests to me that it is not working.
0 -
Hi @SecuRing ,
I am sorry that I have to correct my statement:
Forward logs should not appear.
1)
FORWARD is correct because no "Botnets"May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="
Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"But the issue cannot be reproduced in my side. Forward logs doesn't exist when I accessed 37.48.65.155. Could you send the diag-info by private message ?
Hi @SDWinkelman ,
Could you share your diag-info by private ?
Thank you
0 -
diag-info sent.
0
Zyxel Employee
Freshman Member
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.2K Security
- 93 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 921 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 938 Nebula FAQ
- 425 Security FAQ
- 238 Switch FAQ
- 210 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
