SecuRing

diag-info sent.

Maybe this is a monitoring issue. Device monitoring shows block counts 0/2/0 for reputation filter (IP/DNS/URL; scanned: 39180/19531/9753). However if I look into the logs forwarded to Splunk I see block counts 0/2/4821! Examples: May 3 07:25:49 xxxxxxxxxxxx May 3 07:25:49 2023 xxxxxxxxxxxx src="192.168.10.8:50034"…

OK, thanks. It would be a good idea to add this information to the documentation. Just a suggestion for future improvement: add an option that blocks outgoing traffic anyway and/or enhance external block list to add a category (e. g. Botnets).

Unfortunately I can't do that due to compliance rules. However I can give you the IP reputation config since that is not related to other services. Two questions: Is the reputation filter supposed to block outgoing traffic? If the answer is yes: If I configure to block traffic how comes that the device forwards traffic?

Disabling the white list does not change the behavior too.

You may be right. I searched through my 6 months history of logs and the first forward I found is on April 27 (only blocks prior to this date). However I upgraded my device from 5.35 to 5.36 on April 24 which is in contradiction with the firmware hypothesis. Maybe an update of the reputation filter DB caused the problem?…

These are from the logs of the device. So lets wait if Zyxel hopefully sheds some light on that. Dieter

Thanks for your answer. I already saw that. But why is the outgoing traffic being logged? Does not make any sense if the traffic will be forwarded unconditionally. I would consider it a good idea to not communicate with suspicious targets at all or to have an option to do that. I became aware of this "problem" since I saw…