Question 1

How can we disable IP Reputation lookups and logging in a NetWall firewall?

Answer

To stop a firewall from logging and performing IP Reputation lookups, the following steps are needed:

1. Make sure that none of the IP Reputation features are enabled (for example, DoS Protection, Scanner Protection, Botnet Protection).
2. Turn off the "Log IP Reputation" feature. The option be found in the WebUI under: System -> Advanced Settings -> State Settings -> Log IP Reputation
3. Run the following command in the CLI: updatecenter -removedb=ipreputation
4. Restart the firewall.

When all the above steps are complete, IP Reputation should be completely disabled. To confirm that it has been turned off, check in the WebUI under: Status -> IP Reputation Log

Question 2

IP reputation seems to generate a large amount of logs, what is the main reason for this?

Answer

IP reputation generates a log entry whenever a connection is created, even if the source/destination IP address is already known. Cloud lookup is only performed when the IP address in question is not known or it needs to be refreshed. So even if the firewall is generating a large amount of logs, the majority of those logs would be the firewall performing IP reputation queries towards the locally cached database.

Question 3

Is it possible to turn off the IP reputation logs and still get a log when something “bad” happens and an IP address gets blacklisted?

Answer

Yes, if we turn off the “Log IP reputation” setting mentioned in question 1 above but still have, for example, Botnet Protection enabled, the firewall would generate a log in the blacklisting subsystem if/when an IP address gets blacklisted by one of the IP reputation subsystems and at the same time we avoid the firewall generating an IP reputation log for every connection created.

Related articles