Block Traffic on WAN Interface (HTTP Management)
i support a small climbing gym and they have a TZ 215 as a Firewall and VPN Gateway.
They often loose connection to the internet from the inside LAN and can't connect to the VPN at this times. I realized that the the Connection Usage reaches 100% (and above) when this happens and made a dump of the existing connections with the Connections Monitor under Diagnostics.
The nearly 32.000 Connections came all from only a few IP's in Bangladesh, Pakistan etc. and every IP connected over several Ports. They all had in common that the Flow Type was HTTP Management, so i assume it is some kind of bruteforce attack to the web interface?
I checked all the WAN Interfaces and disabled all Web Management options for them, i then saved the configuration and restarted the device.
Directly after the restart, the connections reappeared and the Firewall got unresponsive again.
I'm pretty new to this firewall stuff, so please be gentle if my questions are a bit noobish :-)
1.) Is there a way i can configure the WAN Interafecs to drop those connections immediately so that the connections cache doesn't got flooded?
2.) Can you give me some tipps, advise how to deal with those attacks?
I'm thankful for any kind of advice or tipps!
MitatOnge Cybersecurity Overlord ✭✭✭- Set to geo ip filter for attacker countries
- change wan access rules drop to discard option.
- enable TCP flood options under the firewall settings.0
Thank you so much! That was really helpfull!
The Gym hasn't licensed the Geo IP Filter Feature but the flood protection settings seem to have immediate effect.