RT6600ax Safe access and NAS alert ?

[Fidmille]

Hello,
I have a nas qnap behind my 6600AX. Safe access is activated and I notice that it blocks about 100 ip per day for "security reasons". The threat intelligence database box is enabled but my nas seems to be targeted.

This is not understandable because on my nas the accesses are only internal (lan ip) and I don't notice anything on it.
How can this be done? I don't have any redirected ports on the 6600AX. The nas should not even be detected from outside?
Nothing is running on my nas, it is only a file server with jellyfin. Or on the other hand, is it my nas that tries to make strange accesses?

Thanks

 

[Fidmille]

I've put some ip of the list in my NAS firewall in the rejected list, but I still have the detections on the synology. Very strange

 

[Rusty]

Try and configure your NAS inside the 6600 firewall and block all traffic towards the Internet for it, but leave the local one working. That should stop all outgoing attempts.

 

[Fidmille]

Hi, its weird.
I've Block in srm firewall the traffic from the nas toward internet, but ive got the same errors again in safe access. Perhaps it is inbound traffic searching my nas ?

 

[Rusty]

Hi, its weird.
I've Block in srm firewall the traffic from the nas toward internet, but ive got the same errors again in safe access. Perhaps it is inbound traffic searching my nas ?

Tbh it is hard for me to translate the image above... maybe you are indeed having internal (LAN) traffic being captured in this case

 

[fredbert]

Safe Access is an outbound access control mechanism, meaning that it controls requests coming from your LAN/WLAN devices. From the screen shot you have requests originating from your NAS, MaiyonNAS, towards the logged, and blocked, IP addresses. So you should investigate what these IP addresses could be hosting and it may be that you are ok with this access, so create a new profile that allows it and add the NAS to it's list of devices.

I can't remember if Safe Access acts before or after SRM firewall, but it sounds from your results that SA is before and so you still get the logged events. For Threat Prevention this happens after the SRM firewall and so a FW deny rule will stop TP from intercepting those sessions.

So what are these IP addresses that the NAS is trying to access? Could be, just a few ideas and there will be others you can probably think of:

• QNAP servers, e.g. software update.
• QNAP package/application requesting content, e.g. mail server caching attachments or HTML linked content, or a downloader/torrent service.
• Docker container/VM getting whatever it wants, or contacting whoever it wants.

I just checked the first four IP addresses at AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time: three are in China and the other is South Korea. But all four had a list of reports, mostly for ingress activity but I guess if they are questionable then you can ask "should my devices be trying to access them?".