Chapter 45 Collaborative Detection & Response
ZyWALL Series CLI Reference Guide
414
• CDR signatures are a subset of the above license signatures. If a specific number of signature
matches are detected within a defined time period, then the CDR containment policy is triggered.
These are the signatures that apply to CDR at the time of writing:
• Blocking traffic from an infected client causes the Zyxel Device to drop all traffic received from the
client. This traffic can still be broadcast to other clients in the same subnet as the infected client.
• Blocking traffic from an infected WiFi client causes the AP it is connected with to drop all traffic
received from the client if you run command cdr block block-wireless-client.
• The Zyxel Device can only block traffic from Nebula-managed APs in your network using CDR.
• Quarantining traffic from an infected WiFi client blocks traffic at the Zyxel Device or AP and also
isolates traffic from other clients in the same subnet. Traffic from the infected WiFi is only broadcast to
other clients in the quarantine VLAN. You must configure the quarantine VLAN on the Zyxel Device
and any switches or routers in your network through which you want to route the VLAN traffic.
• There are 2 requirements to block or quarantine WiFi clients:
• The AP must be managed by the Zyxel Device.
• The AP must be in the Zyxel Device's supported list. At the time of writing, there are 5 supported AP
models:
Note: Please see your AP product page at the Zyxel web site to see if it can be managed by the Zyxel
Device.
• You must decide how long to contain (block or quarantine) a suspect client, before allowing traffic to
be sent from it again. This will depend on how quickly you can contact the owner of the suspect
client and how long they need to remove the malicious software from their device.
• You must also decide if there are trusted clients in your network that are exempt from CDR and never
have their traffic blocked or quarantined.
•You can use thecdr unblock commands to prematurely release a blocked or quarantined client,
and the cdr white-list commands to add a client to a list exempt from CDR checking.
• If you disable CDR or your CDR license expires, then all blocked and quarantined clients are released.
• If you restart the Zyxel Device or restart an AP connected to the Zyxel Device, blocked and
quarantined clients are still blocked until the block or quarantine period expires.
Table 222 Security Signatures Applied to CDR
SECURITY SIGNATURES SIGNATURES APPLIED TO CDR
Web Filtering URL Threat Filter Categories: Browser Exploits, Malicious Downloads,
Malicious Sites, Phishing
IPS IDP Signatures:
• CVE-2019-0708 (117760, 130797, 130801)
• CVE-2020-0796(130822,130823,130824,130825)
• 117723, 117724, 117726
Anti-Malware All signatures
Table 223 Zyxel Device Managed APs
MANAGED AP MODELS
• WAX650S
• WAX610D
• WAX510D
• WAC500
• WAC500H
To Next Page
Loading...
