>
    Configure Reconnaissance Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Set Up Firewalls
    4. Zone Protection and DoS Protection
    5. Configure a Zone Protection Profile to Increase Network Security
    6. Configure Reconnaissance Protection
    Download PDF
    Next-Generation Firewall

    Configure Reconnaissance Protection

    Table of Contents

    Configure Reconnaissance Protection

    Defend your zones against port scans and host sweeps.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    One of these:
    Reconnaissance activities are often preludes to a network attack. You can configure a Zone Protection profile to defend your zones against port scans host sweeps. You can use reconnaissance tools for legitimate purposes such as pen testing of network security or the strength of the firewall and specify IP addresses or netmask address objects to exclude from reconnaissance protection so that your internal IT department can conduct pen tests to find and fix network vulnerabilities.
    You can set the action the firewall takes when reconnaissance traffic, excluding pen testing traffic, exceeds the configured thresholds.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.
      You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.
    3. Navigate to the Zone Protection Profiles and Add Profile.
    4. Enter a descriptive Name.
    5. (Optional) Enter a Description.
    6. Select Reconnaissance.
    7. Enable one or more scan types to protect against (TCP Port Scan, Host Sweep, and UDP Port Scan).
    8. Select the Action for each scan.
      • Allow—The firewall allows the port scan or host sweep reconnaissance to continue.
      • Alert (default)—The firewall generates an alert for each port scan or host sweep that matches the configured threshold within the specified time interval.
      • Block—The firewall drops all subsequent packets from the source to the destination for the remainder of the specified time interval.
      • Block IP—The firewall drops all subsequent packets for the specified Duration, in seconds (range is 1—3,600). You must also configure the Track By, which determines whether the firewall blocks source or source-and-destination traffic.
    9. Set the Interval in seconds to define the time interval for port scan and host sweep detection.
    10. Set the Threshold to define the number of pot scan events or hot sweeps that occur within the configured Interval that triggers an action.
    11. (Optional) Configure Source Address Exclusion.
      1. Add an entry to add one or more IP addresses to the Source Address Exclusion List.
      2. Enter a descriptive Source Address Exclusion entry name.
      3. Set the Address Type to IPv4.
      4. Select one or more IP Address(es).
    12. Save.

    © 2024 Palo Alto Networks, Inc. All rights reserved.