Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 12217 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to whitelist an IP address in XG firewall

behrad

Hello

I have a XG firewall  which detect an IP address as attack , all incoming packet from the specific IP address is dropped by firewall  , i just a few day start to work with XG firewall and need help how to whitelist this IP

something i have done so far is investigate in log files and filter base on that ip address , it shows me drop by rule 0 on firewall , but there is no rule 0 on the firewall

 

 

 

i create a rule on the firewall and permit that IP address to LAN zone , but since all rule numbers are occupy already it seems not take affect  , could you please help me how to white list this IP .



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    which version of XG are you running?

    Rule 0 is the default drop rule, in v17 the rule is hidden in v18 the rule is exposed but you cannot alter it.

    The function of rule 0 is to drop invalid traffic eg connections that have time out which is what some of those in your post are showing and can be safely ignored, the other function of rule 0 is to log traffic that does not match to a firewall rule.

    You will need a firewall rule that allows that IP address to enter your network, I do not understand why you are allowing an external IP address into your network please provide more details?

    When you create a firewall rule it is assigned a rule number and the rules are searched from top to bottom not by rule number.

    Ian

  • 0 in reply to rfcat_vk

    thanks for your reply , model and version of firewall is XG135 (SFOS 17.5.9 MR-9  and mentioned IP address is trusted and need to be permitted

    i create a firewall rule already on top of all rules and permit that IP from WAN to LAN and leave other menu to default  , do i need to change anything else to make it works

     

     

  • 0 in reply to behrad

    Hi,

    what have you done for the NAT part of that firewall rule?

    Ian

  • 0 in reply to rfcat_vk

    i didn't change anything on other parts , but seems need to be change (i guess) , in first snapshot i posted , internal ip address of my server 192.168.254.252 during the outgoing will be NAT and Src IP will be replace by 184.x.x.x.x  ,

    do i need to create a DNAT firewall rules since i need this rule for incoming packet be permitted ?

  • 0 in reply to behrad

    H,

    if you are providing access to a server you should be using a WAF rule or maybe a VPN terminating on there XG not using a firewall rule to improve security and reliability of the connection.

    There will not be any outgoing rule required for this user because they will be initiating the connection and the firewall will allow traffic bothways associated with the connection.

    Ian

  • 0 in reply to rfcat_vk

    one thing that interesting in this my firewall consider attack my internal server as attacker

    why it should happened , as i check the rule 5 which match for outgoing traffic according to the snapshot in my first post , is matched

    that server with IP address of 192.168.254.252 is a active directory server ,  i think it is a fault positive and the only thing is applied to firewall rule 5 is a IPS policy

    is there any way find it is match based on which criteria and at least make white list in IPS for outgoing packets

    for rule 5 in firewall , everything is permitted and a IPS rule is applied

     

  • FormerMember
    0 FormerMember in reply to behrad

    Hi,

    You can use Log Viewer Detailed View to search for the 45.2.x.x IP address or the internal server IP address 192.168.254.252 and look for IPS blocking. It should give you more info for those attacks/blocking - 

Reply
  • FormerMember
    0 FormerMember in reply to behrad

    Hi,

    You can use Log Viewer Detailed View to search for the 45.2.x.x IP address or the internal server IP address 192.168.254.252 and look for IPS blocking. It should give you more info for those attacks/blocking - 

Children
No Data