Zyxel Cloud CNM SecuReporter - SecuReporter User's Guide

Default Login Details
User’s Guide
SecuReporter
Login URL https://secureporter.cloudcnm.zyxel.com
User Name myZyxel.com User Name
Version 2.5 Edition 1, 03/2021
Copyright © 2021 Zyxel Communications Corporation
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE.
Screenshots and graphics in this book may differ slightly from what you see due to differences in release versions or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.
Note: The version number on the cover page refers to the version number you can see on the
bottom of the log in screen of the SecuReporter.
Related Documentation
• User’s Guides
Go to the download library of the Zyxel website to get a supported Zyxel Device User’s Guide to see how to configure the Zyxel Device using the Web Configurator on the Zyxel Device.
Go to the download library of the Zyxel website to get a supported Zyxel Device Command Line Interface (CLI) Reference Guide to see how to configure the Zyxel Device using the CLI on the Zyxel Device.
Go to the download library of the Zyxel website to get a myZyxel.com User’s Guide to see how to register your Zyxel Device and activate a license.
•More Information
Go to support.zyxel.com to find other information on SecuReporter
.
SecuReporter User’s Guide
2

Document Conventions

Warnings and Notes
These are how warnings and notes are shown in this guide.
Warnings tell you about things that could harm you or your device.
Note: Notes tell you other important information (for example, other things you may need to
configure or helpful tips) or recommendations.
Syntax Conventions
• The Cloud CNM SecuReporter may be referred to as the “SecuReporter” in this guide.
• Product labels, screen names, field labels and field choices are all in bold font.
• A right angle bracket (>) within a screen name denotes a mouse click. For example, Analysis > Security Indicator > URL Threat Filter > by Destination IP means you first click Analysis in the navigation panel, then the Security Indicator sub menu, then the URL Threat Filter tab, and finally the by Destination IP tab to get to that screen.
SecuReporter User’s Guide
3

Table of Contents

Table of Contents
Document Conventions ............................................ ................................................ ..........................3
Table of Contents.................................................................................................................................4
Chapter 1
Introduction ..........................................................................................................................................6
1.1 Overview ........................................................................................................................................... 6
1.1.1 Supported Zyxel Devices and Firmware Versions ................................................................ 6
1.1.2 SecuReporter Management Privileges ................................................................................ 7
1.1.3 License Options ....................................................................................................................... 8
1.2 Get Started ........................................................................................................................................ 8
1.3 Title Bar ............................................................................................................................................... 9
1.4 Threat History ................................................................................................................................... 10
1.4.1 Details ..................................................................................................................................... 11
1.5 Dashboard ...................................................................................................................................... 12
Chapter 2
Analysis...............................................................................................................................................15
2.1 Overview ......................................................................................................................................... 15
2.1.1 Tutorial .................................................................................................................................... 15
2.1.2 Sandboxing ............................................................................................................................ 18
2.1.3 Sandboxing Alerts ................................................................................................................. 20
2.2 Analysis Overview ........................................................................................................................... 20
2.3 Security Indicators .......................................................................................................................... 22
2.3.1 ADP ......................................................................................................................................... 22
2.3.2 IP Reputation ......................................................................................................................... 24
2.3.3 IDP ........................................................................................................................................... 25
2.3.4 DNS Filter ................................................................................................................................ 27
2.3.5 URL Threat Filter ...................................................................................................................... 29
2.3.6 Antivirus / Malware ............................................................................................................... 31
2.3.7 Sandboxing ............................................................................................................................ 32
2.3.8 Mail Protection ...................................................................................................................... 34
2.4 Application / Website .................................................................................................................... 36
Chapter 3
Logs.....................................................................................................................................................41
3.1 Overview ......................................................................................................................................... 41
3.2 Log Search ...................................................................................................................................... 41
3.2.1 Log Search Privileges ............................................................................................................ 42
3.2.2 Security Log Categories ....................................................................................................... 43
SecuReporter User’s Guide
4
Table of Contents
3.2.3 Event Log Categories ........................................................................................................... 49
3.2.4 Traffic Log Categories .......................................................................................................... 52
3.3 User ................................................................................................................................................... 54
3.3.1 Details ..................................................................................................................................... 55
Chapter 4
Alerts ...................................................................................................................................................58
4.1 Overview ......................................................................................................................................... 58
4.2 Trend & Details ................................................................................................................................ 58
4.3 Configuration .................................................................................................................................. 60
Chapter 5
Report..................................................................................................................................................65
5.1 Overview ......................................................................................................................................... 65
5.2 Summary Reports ............................................................................................................................ 65
5.3 Report Configuration ..................................................................................................................... 67
Chapter 6
Settings................................................................................................................................................70
6.1 Overview ......................................................................................................................................... 70
6.2 Organization & Device .................................................................................................................. 70
6.2.1 Add a Zyxel Device to an Organization ............................................................................. 71
6.2.2 Claimed Device .................................................................................................................... 74
6.3 User Account .................................................................................................................................. 75
Chapter 7
Troubleshooting..................................................................................................................................78
7.1 Getting More Troubleshooting Help ............................................................................................. 80
Appendix A Customer Support ....................................................................................................... 81
Appendix B Legal Information ......................................................................................................... 87
Index...................................................................................................................................................88
SecuReporter User’s Guide
5
CHAPTER 1

Introduction

1.1 Overview

SecuReporter is a cloud-based analytics tool that is part of the Cloud CNM suite developed by Zyxel. It aggregates logs of supported Zyxel Device across distributed locations, giving network administrators a centralized view of security events and flow data.
SecuReporter can collect data from different types of Zyxel Device models, including the Zyxel Security Gateway/AP/Switch series, with up to 40,000 units supported simultaneously.
Reports are generated using security intelligence techniques and automated data correlation with real­time traffic analytics, as opposed to merely relying on static and predefined rules. Insights relevant to a network’s security environment are available at a glance on an intuitive dashboard.

1.1.1 Supported Zyxel Devices and Firmware Versions

At the time of writing of this User’s Guide, SecuReporter supports the following Zyxel Devices:
Table 1 Supported Zyxel Devices and Firmware Version
SUPPORTED VERSION SUPPORTED MODELS
Version 4.32 and above USG20
USG20W-VPN
USG40
USG40W
USG60
USG60W
USG110
USG210
ZyWALL110
ATP200
ATP500
ATP800
Version 4.33 and above USG310
USG1100
USG1900
USG2200
ZyWALL310
ZyWALL1100
Version 4.35 and above ATP100
SecuReporter’s User’s Guide
6
Chapter 1 Introduction
Table 1 Supported Zyxel Devices and Firmware Version (continued)
SUPPORTED VERSION SUPPORTED MODELS
Version 4.50 and above USG FLEX 100
USG FLEX 200
USG FLEX 500
Version 4.60 and above USG FLEX 100W
USG FLEX 700
Note: If your product is not listed in the table above, please refer to the official
announcement posted in https://www.zyxel.com/products_services/Security-Service­Cloud-CNM-SecuReporter/license-and-spec for the SecuReporter’s availability.
Screens and widgets vary depending on the Zyxel Devices that you use. This table summarizes some of the features that are only available for the ZyWALL VPN series, ZyWALL USG series, ZyWALL and ZyWALL USG FLEX series
at the time of writing.
Table 2 Features Supported on the Zyxel Devices
ZYWALL VPN SERIES USG SERIES ATP SERIES USG FLEX SERIES
Anti Virus / Anti Malware Yes Yes Yes Yes
IDP Yes Yes Yes Yes
ADP Yes Yes Yes Yes
Mail Protection Yes Yes Yes Yes
Web Security Yes Yes Yes Yes
Application Patrol Yes Yes Yes Yes
Sandboxing Statistics No No Yes No
URL Threat Filter No No Yes Yes
IP Reputation No No Yes No
DNS Filter No No Yes No
ATP series

1.1.2 SecuReporter Management Privileges

A Zyxel Device owner can register a Zyxel Device at myZyxel. Only an owner can add Zyxel Devices to an organization. However, an owner can assign other people to manage Zyxel Devices.
SecuReporter’s User’s Guide
7
Chapter 1 Introduction
This table summarizes SecuReporter privileges at each level of the model:
Table 3 SecuReporter Management Privileges
ROLE TYPE SIGN IN AT MYZYXEL? PRIVILEGES
Agent (Owner) Yes • Can add/delete Zyxel Devices to/from an
Admin Yes • Can add/edit organizations
User Yes • Can configure dashboard widgets
organization
• Can add/edit organizations
• Can add/edit admin/user accounts
• Can configure alert notifications
• Can configure dashboard widgets
• Can configure analyses and reports
• Can create request for transfer of analytics and logs
• Can import analytics and logs
• Can create log download request and download archived logs
• Can configure alert notifications
• Can configure dashboard widgets
• Can configure analyses and reports
• Can import analytics and logs
• Can download archived logs
• Can view analyses and report
• Can configure alert notifications
• Can import analytics and logs

1.1.3 License Options

You can use SecuReporter with a free 30-day Trial license or buy a 1-year Standard license (SecuReporter Premium). You will receive a renewal notification before either expires. In addition, for the standard license, you will have an extra 15 day grace period to renew.
Note: SecuReporter will automatically delete logs when the grace period has expired.

1.2 Get Started

Use a browser that supports HTML5, such as Google Chrome, Mozilla Firefox, Safari, or Microsoft Edge. The recommended minimum screen resolution is 1366 by 768 pixels. In order to use SecuReporter you need to allow web browser pop-up windows from your computer.
To set up SecuReporter:
• You must enable SecuReporter on a supported Zyxel Device. Refer to the User’s Guide of the supported Zyxel Device for instructions.
• Register the Zyxel Devices using the same myZyxel account. To open an account at myZyxel, go to https://portal.myzyxel.com and click Sign Up.
• After you register the Zyxel Devices, follow the on-screen instructions to activate the SecuReporter license for the registered Zyxel Devices.
Once you are in the SecuReporter web portal, configure an organization with the Zyxel Devices.
SecuReporter’s User’s Guide
8
Note: See Section 6.1 on page 70 for an overview of how to get started using SecuReporter.
On your next login after configuring an organization, select an Organization first. Your registered devices will be shown in Device.
Figure 1 Select Organization and Device on Startup

1.3 Title Bar

The title bar provides some useful links that always appear over the screens below. If your Zyxel Device is in NCC mode, not all icons will be available in the Title Bar.
In this mode, which is also called cloud mode, you can manage and monitor the Zyxel Device through the Zyxel Nebula cloud-based network management system. This means you can manage devices remotely without the need of connecting to each device directly. It offers many features to better manage and monitor not just the Zyxel Device, but your network as a whole, including supported switches and gateways. Your network can also be managed through your smartphone using the Nebula Mobile app.
Chapter 1 Introduction
Table 4 NCC management Levels
Organization
Site A Site B
Device A-1 Device A-2 Device B-1 Device B-2
NCC allows different levels of management. You can configure each device on its own or configure a set of devices together as a site. You can also monitor groups of sites called organizations, as shown below.
Figure 2 Title Bar
The icons provide the following functions.
Table 5 Title Bar: Web Configurator Icons
LABEL DESCRIPTION
Click this to open the help page for the current screen or go to the Forum.
Click this to set up the following:
• Organization & Device – you see all organizations that you have already created and the Zyxel Devices (Model, Device and License Status).
• Members – to assign an administrator or user for organizations or Zyxel Devices within organizations that you created.
Click this to turn on or off SecuReporter’s Dark Mode display.
Note: This feature is not available at the time of writing of this User’s Guide.
Click this to show a list of apps provided by Zyxel available at the time of writing.
SecuReporter’s User’s Guide
9
Chapter 1 Introduction
Table 5 Title Bar: Web Configurator Icons (continued)
LABEL DESCRIPTION
Click this to open the myZyxel web site login page in a new tab or window.
Click this to open the NCC web site login page in a new tab or window.
Click this to open the SecuReporter web site login page in a new tab or window.
Click this to open the CNC web site login page in a new tab or window.
Click this to open the Circle web site login page in a new tab or window.
Click this to open the myZyxel web site login page in a new tab or window. You will be redirected to the Marketplace after you log in.
Click this to go to Zyxel Biz Forum, where you can get the latest Zyxel Device information and have conversations with other people by posting your messages.
Click this to view your account name, manage your account information (edit Profile, change Password, set up Two-Factor Authentication), or to log out.

1.4 Threat History

Refer to the right portion of the Dashboard to view the origins of attack packets detected by SecuReporter over the last 7 days.
The map pins identify the locations from which threats had originated. Pin color indicates the type of the attacks. A bigger pin means more threats.
SecuReporter’s User’s Guide
10
Figure 3 Threat History
Chapter 1 Introduction

1.4.1 Details

Click a pin on the Threat History in 7 Days on Map to view more information about the threats detected from that location.
SecuReporter’s User’s Guide
11
The following table describes the labels on this screen.
Table 6 Threat History
LABEL DESCRIPTION
Attack Type This displays the type of attack that was detected coming from the site. Common types
Hits This displays the number of times a single threat was sent from a site and blocked by the
Top Attack Origins This displays the percentage of the threat’s source country.
Top Attack Targets This displays the percentage of the threat’s destination country.
Top Attack Types This displays the percentage of the type of attack.
Top Attack Time Period This displays the percentage of the 3-hour time frame when the attacks occur.
Top Attackers IP Address
Top Attacked IP Address

1.5 Dashboard

Chapter 1 Introduction
of attacks include ADP, IDP, Malware (Anti Virus), spam, content filter, and mixed.
Zyxel Device. Click the arrow to arrange the threats by the number of hits.
This displays each threat’s source IP.
This displays each threat’s destination IP.
The Dashboard shows the key facts about your network’s security environment that were collected by SecuReporter in the last 30 days, 7 days, 24 hours, one hour, or custom range.
You need to create an organization with at least one Zyxel Device for information to display in the Dashboard – go to (More) (upper right icon) > Organization & Device > Add Organization.
By default, the dashboard will have the Alert Detected, License Status, Security Indicator, and Traffic Usage widgets. See Section 2.1.2 on page 18 and Section 2.1.3 on page 20 for more information about sandboxing.
Widgets are miniature views of SecuReporter’s data visualizations, the full versions of which are available under the Security Indicator and Application / Website screens.
SecuReporter’s User’s Guide
12
Figure 4 Default Dashboard
Chapter 1 Introduction
The following table describes the widgets on the default dashboard:
Table 7 Default Dashboard
LABEL DESCRIPTION
Alert Detected This is the total number of the latest alerts sent to administrators of a network in the last 7
License Status This shows if your SecuReporter license is active or inactive, and the number of days
Security Indicator
days.
remaining.
SecuReporter’s User’s Guide
13
Chapter 1 Introduction
Table 7 Default Dashboard (continued)
LABEL DESCRIPTION
Select the time frame to show your network’s security environment collected by SecuReporter.
• Last hour
• Last 24 hours
•Last 7 days
• Last 30 days (for SecuReporter Premium only)
• Custom Range (last 30 days custom range for SecuReporter Premium only) – click an
allowed start and end day, select the time frame, and then click Apply.
ADP Hits This displays the total number of anomalies detected by the Zyxel Devices. Anomalies are
based on violations of protocol standards (RFCs – Requests for Comments) or abnormal flows such as port scans.
Antivirus / Malware Hits This displays the total number of the most common malware and viruses detected and
blocked by the Zyxel Device.
URL Threat Filter Hits This displays the total number of times the Zyxel Device’s URL Threat filtering service
detected and blocked connection attempts to or from a site in an URL threat category.
IP Reputation Hits This displays the total number of times packets coming from an IPv4 address with a bad
IDP Hits This displays the total number of malicious or suspicious packets detected by IDP in the
Mail Protection Hits This displays the total number of the most common traffic classified as spam received by
Sandboxing Alerts This displays the total number of files that have been scanned through the sandboxing
DNS Filter Hits This displays the total number of URLs of FQDNs classified as a security threat to network
Traffic Usage
Top 3 Bandwidth User This displays the top three users of bandwidth on the network including percentage over
Top 3 Application Usage
Top 3 Destination Country
Top 3 Destination Port This displays the top three destination ports by bandwidth usage including percentage,
reputation occur and the number of times connection attempts to an IPv4 address with a bad reputation occur.
Zyxel Devices. IDP (Intrusion, Detection and Prevention) uses signatures to detect malicious or suspicious packets to protect against network-based intrusions.
the Zyxel Devices.
function.
devices behind the Zyxel Device.
Select the time frame to show your network traffic collected by SecuReporter.
• Last hour
• Last 24 hours
•Last 7 days
• Custom Range – click an allowed start and end day, select the time frame, and then
click Apply.
a selected time frame, which is 7 days by default.
This displays the network applications with the greatest bandwidth usage including percentage over a selected time frame, which is 7 days by default.
This displays the top three countries that received the most data traffic from Zyxel Devices including percentage, over a selected time frame.
over a specified time frame, which is 7 days by default.
SecuReporter’s User’s Guide
14

2.1 Overview

Analysis is a set of charts, tables, and other visualizations of data collected from Zyxel Devices. Analysis
provides a big-picture overview of network activity, while making it easy to “drill down” into granular detail on what users are doing.

2.1.1 Tutorial

In the Analysis section, the charts can be clicked to reveal event records.
In most cases, you can choose to analyze data collected over one of five time frames (see Section 1.5
on page 12):
•Last hour
• Last 24 hours
•Last 7 days
• Last 30 days (for SecuReporter Premium only)
• Custom Range (last 30 days custom range for SecuReporter Premium only) – click an allowed start
and end day, select the time frame, and then click Apply.
CHAPTER 2

Analysis

This tutorial uses the following example to show how to explore an URL threat filter hit detail that you want to investigate, specifically by destination IP.
1 Click Analysis > Security Indicator > URL Threat Filter.
SecuReporter’s User’s Guide
15
Figure 5 Top URL Threat Filter
Chapter 2 Analysis
2 Click the by Destination IP tab. To display the next set of malware or viruses, click the arrow on the lower
left of the screen.
SecuReporter’s User’s Guide
16
Chapter 2 Analysis
Figure 6 Top 10 URL Threat Filter Hit Detail > by Destination IP
The following screen appears.
Figure 7 Next Set of Top URL Threat Filter Hit Detail > by Destination IP
3 Clicking a Destination IP will display its Threat Website address, the number of Hits, and the percentage
(%) of hits to the destination IP address.
Note: You could select different metrics by clicking a tab to view the information of the
selected metric.
Figure 8 Source IP
4 Clicking a Source IP will display its Threat Website address, the number of Hits, and the percentage (%)
of hits from the source IP address.
SecuReporter’s User’s Guide
17
Figure 9 Source IP Information
Chapter 2 Analysis

2.1.2 Sandboxing

Zyxel cloud sandboxing is a security mechanism which provides a safe environment to separate running programs from your network and host devices. Unknown or untrusted programs or codes are uploaded to a cloud server and executed within an isolated virtual machine (VM) to monitor and analyze the zero-day malware and advanced persistent threats (APTs) that may evade the Zyxel Device’s detection, such as anti-malware. Results of cloud sandboxing are sent from the server to the Zyxel Device.
The Zyxel Device sandbox checks all received files against its local cache for known malicious or suspicious codes. Files with no detected malicious or suspicious codes found in the cache (‘unknown’) are copied and uploaded to the security cloud server for further inspection. The scan result from the cloud server is added to the Zyxel Device cache and used for future inspection.
Note: The Zyxel Device forwards all unknown files to users. For files with known malicious or
suspicious codes, you can configure the Zyxel Device to take specific actions, such as dropping the file.
Note: The scan result is removed from the Zyxel Device cache after the Zyxel Device restarts,
so all files are once again ‘unknown’.
SecuReporter’s User’s Guide
18
Chapter 2 Analysis
Figure 10 General Zyxel Sandbox Inspection
In the Zyxel Device, you can configure Advanced Zyxel Sandbox Inspection to hold and inspect unknown downloaded files for up to 2 seconds. After 2 seconds the Zyxel Device forwards the file even if the inspection is incomplete.
Figure 11 Advanced Zyxel Sandbox Inspection
Supported File Types for Sandboxing Inspection
Sandbox can only check the types of files listed under File Submission Options in the Sandboxing screen of the Zyxel Device. If you disabled Scan and detect EICAR test virus in the Anti Malware screen, then EICAR test files will be sent to Sandbox.
The EICAR test file is a standardized test file for signature based anti-malware scanners. When the scanner detects the EICAR file, it responds in the same way as if it found a real malware. Besides straightforward detection, the EICAR file can also be compressed to test whether the anti-malware software can detect it in a compressed file.
Note: Configure this setting on your Zyxel Device.
Turning on Sandboxing on Your Zyxel Device
To use the sandboxing function, you need to register your Zyxel Device and activate the service license at myZyxel, and then turn on the sandboxing function on the Zyxel Device.
SecuReporter’s User’s Guide
19

2.1.3 Sandboxing Alerts

SecuReporter sends sandboxing alerts to Zyxel Device administrators when:
1 The Zyxel Device forwarded files that were later discovered to be suspicious or malicious.
Note: In this case the Zyxel Device administrator should immediately contact the receiver of
the file and advise him or her not to open it. If he or she already opened it, then urge him or her to run an up-to-date anti-malware scanner.
2 The Zyxel Device sandbox (or Security Cloud) removed infected portions of files that were suspicious or
malicious.
Note: In this case the receiver of the file will not be able to open the file. The Zyxel Device
administrator should contact the receiver of the file to let him or her know.

2.2 Analysis Overview

Chapter 2 Analysis
Click Analysis > Security Indicator to show data visualizations related to the network’s security, management and what was blocked. The following screens will be displayed.
Data is displayed in the Analysis menus as follows.
.
Table 8 Analysis Overview
LABEL TYPE DESCRIPTION
Security Indicator ADP ADP Trend (Hits)
Top Signature Type
Top Event Severity Type
Top Source IP
Top Destination IP
IP Reputation IP Reputation Trend (Hits)
Top Risk IP
Top Type
Top Source IP
Top Destination IP
IDP IDP Trend (Hits)
Top Signature Type
Top Event Severity Type
Top Source IP
Top Destination IP
DNS Filter DNS Filter Trend (Hits)
Top DNS Filter Domain
Top Threat Category
Top Source IP
Top Query Type
SecuReporter’s User’s Guide
20
Chapter 2 Analysis
Table 8 Analysis Overview (continued)
LABEL TYPE DESCRIPTION
Security Indicator URL Threat Filter URL Threat Filter Trend (Hits)
Top Threat Website
Top Type
Top Source IP
Top Destination IP
Antivirus / Malware Antivirus / Malware Trend (Hits)
Top Virus / Malware
Top Source IP
Top Destination IP
Sandboxing Sandboxing Trend (Hits)
Top File Type
Top File Name
Top File Hash
Top User
Top Source IP
Top Destination IP
Mail Protection Mail Protection Trend (Hits)
Top Spam Email Subject
Top Spam Sender Email
Top Spam Received IP
Top Spam Sender IP
Application / Website
Web Security Blocked Website Access Trend (Hits)
Allowed Website Access Trend (Hits)
Top Accessed Blocked Website
Top Accessed Blocked Website Type
Top Accessed Allowed Website
Top Accessed Allowed Website Type
Top Source IP (to Blocked Website)
Top Destination IP (to Blocked Website)
Top Source IP (to Allowed Website)
Top Destination IP (to Allowed Website)
App Patrol Blocked Application Access Trend (Hits)
Allowed Application Access Trend (Hits)
Top Accessed Blocked Application
Top Accessed Blocked Application Type
Top Accessed Allowed Application
Top Accessed Allowed Application Type
SecuReporter’s User’s Guide
21

2.3 Security Indicators

Security Indicators data visualizations are categorized as:
•ADP
• IP Reputation
•IDP
• DNS Filter
• URL Threat Filter
• Antivirus / Malware
•Sandboxing
• Mail Protection

2.3.1 ADP

Anomaly Detection and Prevention (ADP) protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. This section introduces ADP, anomaly profiles and applying an ADP profile to a traffic direction.
Chapter 2 Analysis
Traffic Anomalies
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware.
Protocol Anomalies
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes:
•TCP Decoder
• UDP Decoder
•ICMP Decoder
Protocol anomaly policies may be updated when you upload new firmware.
The following figure shows the Analysis > Security Indicator > ADP data visualizations.
SecuReporter’s User’s Guide
22
Chapter 2 Analysis
Figure 12 Analyzer > Security Indicators > ADP
The following table describes the labels on the Analysis > Security Indicator > ADP screen.
Table 9 Analysis > Security Indicator > ADP
LABEL DESCRIPTION
ADP Trend (Hits) This chart displays patterns in anomalies detected by the Zyxel Devices. Anomalies are
based on violations of protocol standards (RFCs – Requests for Comments) or abnormal flows such as port scans.
Move your cursor over a trend line to display the number of threats encountered over time.
Top Signature Type This chart displays the top 3 anomalies detected by the Zyxel Device.
Scroll down to ADP Hit Detail and click the by Signature tab to display details about the anomalies that were detected.
Top Event Severity Type This chart displays the top 3 anomaly severity types detected by the Zyxel Device.
Scroll down to ADP Hit Detail and click the by Type tab to display details about the anomalies that were detected.
Top Source IP This chart displays the source IP addresses of the top 3 incoming anomalies.
Scroll down to ADP Hit Detail and click the by Source IP tab to display details about the anomalies that were detected.
Top Destination IP This chart displays the destination IP addresses of the top 3 incoming anomalies.
Scroll down to ADP Hit Detail and click the by Destination IP tab to display details about the anomalies that were detected.
SecuReporter’s User’s Guide
23

2.3.2 IP Reputation

When you register for and enable the IP reputation service, your Zyxel Device downloads signature files that identifies reputation of IPv4 addresses. You can have the Zyxel Device forward, block, and/or log packets from IPv4 addresses based on these signatures and categories.
The priority for IP Reputation checking is as below:
•White List
•Black List
•External Black List
• Local Zyxel Device Signatures
The following figure shows the Analysis > Security Indicator > IP Reputation data visualizations.
Figure 13 Analysis > Security Indicator > IP Reputation
Chapter 2 Analysis
SecuReporter’s User’s Guide
24
Chapter 2 Analysis
The following table describes the labels on the Analysis > Security Indicator > IP Reputation screen.
Table 10 Analysis > Security Indicator > IP Reputation
LABEL DESCRIPTION
IP Reputation Trend (Hits) This chart displays the number of threats posed by IPs as detected by the Zyxel Devices.
Move your cursor over a trend line to display the number of threats encountered over time.
Top Risk IP This chart displays the top 3 IP addresses detected by the Zyxel Device as detected by
Top Type This chart displays the top 3 types of threats posed by IPs detected by the Zyxel Device
IP Reputation. Scroll down to IP Reputation Hit Detail and click the by Risk IP tab to display details
about the IP addresses that were detected by IP Reputation. Click an IP address to display the details.
as detected by IP Reputation. Threat categories include Negative Reputation, TOR
Proxies, Denial of Service, Scanners, Web Attacks, Exploits, Spam Sources, Anonymous Proxies, Phishing, and Botnets.
Scroll down to IP Reputation Hit Detail and click the by Type tab to display details about the threats posed by IPs detected by the Zyxel Device as detected by IP Reputation.
Note: See more details of threat categories in the ZyWALL ATP User’s Guides.
Top Source IP This chart displays the source IP addresses of the top 3 IP addresses detected by the
Zyxel Device as detected by IP Reputation. Scroll down to IP Reputation Hit Detail and click the by Source IP tab to display details
about the source IP addresses that were detected.
Top Destination IP This chart displays the destination IP addresses of the top 3 IP addresses detected by
the Zyxel Device as detected by IP Reputation.

2.3.3 IDP

Scroll down to IP Reputation Hit Detail and click the by Destination IP tab to display details about the destination IP addresses that were detected.
An IDP profile is a set of packet inspection signatures.
A signature is a pattern of malicious or suspicious packet activity. You can specify an action to be taken if the system matches a stream of data to a malicious signature. You can change the action in the profile screens. Packet inspection examine OSI (Open System Interconnection) layer-4 to layer-7 packet contents for malicious data. Generally, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior.
Changes to the Zyxel Device’s IDP settings affect new sessions, but not the sessions that already exists before you apply the new settings.
The following figure shows the Analysis > Security Indicator > IDP data visualizations.
SecuReporter’s User’s Guide
25
Chapter 2 Analysis
Figure 14 Analysis > Security Indicator > IDP
The following table describes the labels on the Analysis > Security Indicator > IDP screen.
Table 11 Analysis > Security Indicator > IDP
LABEL DESCRIPTION
IDP Trend (Hits) This chart displays malicious or suspicious packets detected by IDP in the Zyxel Devices.
IDP (Intrusion, Detection and Prevention) uses signatures to detect malicious or suspicious packets to protect against network-based intrusions.
Move your cursor over a trend line to display the number of threats encountered over time.
Top Signature Type This chart displays the top 3 malicious or suspicious packets detected by IDP in the Zyxel
Devices. Scroll down to IDP Hit Detail and click the by Signature tab to display details about the
intrusions that were detected.
Top Event Severity Type This chart displays the top 3 malicious or suspicious packet types detected by IDP in the
Zyxel Devices. Scroll down to IDP Hit Detail and click the by Type tab to display details about the
intrusions that were detected.
SecuReporter’s User’s Guide
26
Table 11 Analysis > Security Indicator > IDP (continued)
LABEL DESCRIPTION
Top Source IP This chart displays the source IP addresses of the top 3 incoming malicious or suspicious
Top Destination IP This chart displays the destination IP addresses of the top 3 incoming malicious or
2.3.3.1 Threat Intelligence
Click any item in the by Signature table to view the malicious or suspicious packets detected by IDP in detail.
Figure 15 Top Signature Details
Chapter 2 Analysis
packets detected by IDP in the Zyxel Devices. Scroll down to IDP Hit Detail and click the by Source IP tab to display details about the
source IP addresses of the incoming malicious or suspicious packets.
suspicious packets detected by IDP in the Zyxel Devices. Scroll down to IDP Hit Detail and click the by Destination IP tab to display details about
the destination IP addresses of the incoming malicious or suspicious packets.

2.3.4 DNS Filter

A Domain Name System (DNS) server records mappings of FQDN (Fully Qualified Domain Names) to IP addresses. A FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain.
DNS filtering inspects DNS queries made by clients on your network and compares the queries against a database of blocked or allowed Fully Qualified Domain Names (FQDNs).
If a user attempts to connect to a suspect site, where the DNS query packet contains an FQDN with a bad reputation, then a DSN query is sent from the user’s computer and detected by the DNS Filter.
The Zyxel Device DNS filter will either drop the DNS query or reply to the user with a fake DNS response using the default dnsft.cloud.zyxel.com URL (where the user will see a “Web Page Blocked!” page) or a custom IP address.
The following type of DNS queries is allowed by the Zyxel Device:
• Type “A” for IPv4 addresses
SecuReporter’s User’s Guide
27
Chapter 2 Analysis
The Zyxel Device replies with a DNS server error for the following types of DNS queries:
• Enter “AAAA” for IPv6 addresses
• Enter “NS” (Name Server) to get information about the authoritative name server
• Enter “MX” (Mail eXchange) to request information about the mail exchange server for a specific DNS domain name
• Enter “CNAME” (Canonical Names) that specifies a domain name that has to be queried in order to resolve the original DNS query
• Enter “PTR” (Pointer) that specifies a reverse query (requesting the FQDN corresponding to the IP address you provided
• Enter “SOA” (Start Of zone Authority) used when transferring zones
Click Analysis > Security Indicator > DNS Filter to display the configuration screen as shown next.
Figure 16 Analysis > Security Indicator > DNS Filter
SecuReporter’s User’s Guide
28
Chapter 2 Analysis
The following table describes the labels on the Analysis > Security Indicator > DNS Filter screen.
Table 12 Analysis > Security Indicator > DNS Filter
LABEL DESCRIPTION
DNS Filter Trend (Hits) This chart displays the number of URLs of FQDNs that may pose a security threat to
Top DNS Filter Domain This chart displays the URLs of FQDNs that may pose a security threat to network
Top Threat Category This chart displays the categories of FQDNs that may pose a security threat to
Top Source IP This chart displays the source IP addresses of the incoming malicious and/or
Top Query Type This chart displays the types of DNS (Domain Name System) record of the security
network devices that were scanned.
Move your cursor over a trend line to display the number of URLs of FQDNs encountered over time.
devices behind the Zyxel Device. Scroll down to DNS Filter Hit Detail and click the by DNS Filter Domain tab to display
details about the URLs of FQDNs.
network devices behind the Zyxel Device. Scroll down to DNS Filter Hit Detail and click the by Threat Category tab to display
details about the categories of FQDNs.
suspicious files. Scroll down to DNS Filter Hit Detail and click the by Source IP tab to display details
about the source IP addresses.
threat to network devices behind the Zyxel Device.

2.3.5 URL Threat Filter

When you enable the URL Threat filtering service, your Zyxel Device downloads signature files that contain known URL Threat domain names and IP addresses. The Zyxel Device will also access an external database that has millions of web sites categorized based on content. You can have the Zyxel Device allow, block, warn and/or log access to web sites or hosts based on these signatures and categories.
The priority for URL Threat checking is as below:
•White List
•Black List
•External Black List
• Local Zyxel Device Signatures
•Cloud Query Cache
•Cloud Query
The following figure shows the Analysis > Security Indicator > URL Threat Filter data visualizations.
Scroll down to DNS Filter Hit Detail and click the by Query Type tab to display details about the DNS (Domain Name System) record type.
SecuReporter’s User’s Guide
29
Loading...
+ 66 hidden pages