>
    Configure Reconnaissance Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Zone Protection and DoS Protection
    4. Configure Zone Protection to Increase Network Security
    5. Configure Reconnaissance Protection
    Download PDF

    Configure Reconnaissance Protection

    Table of Contents

    Configure Reconnaissance Protection

    Prevent attackers from probing your network for vulnerabilities by configuring reconnaissance protection for IP protocol scan, UDP and TCP scans, and host sweeps.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS or Panorama Managed)
    		For cloud-managed NGFWs:
    Malicious actors use various scanning techniques, including port scans (TCP and UDP), host sweeps, and IP protocol scans, to identify and exploit network vulnerabilities. To protect your network against these scans, configure the Reconnaissance Protection settings of a Zone Protection profile. For each scan type, you will specify an action and the conditions that trigger the action. For example, you can block subsequent packets from an untrusted source if the firewall detects 1000 IP protocol scan events from that source within 60 seconds.
    The following actions are supported for each scan:
    • Allow—The firewall allows the port scan, host sweep, or IP protocol scan reconnaissance to continue.
    • (Default) Alert—The firewall generates an alert for each port scan, host sweep, or IP protocol scan that matches the configured threshold within the specified time interval.
    • Block—The firewall drops all subsequent packets from the source to the destination for the remainder of the specified time interval.
    • Block IP—The firewall drops all subsequent packets for the specified Duration, in seconds (the range is 1-3,600). Track By determines whether the firewall blocks source or source-and-destination traffic.

    Cloud Management

    Configure reconnaissance protection for IP protocol scan, UDP and TCP scans, and host sweeps on Strata Cloud Manager.
    You can configure protection against IP protocol scan, UDP or TCP scans, or host sweeps for next-generation firewalls managed with Strata Cloud Manager.
    1. Configure Reconnaissance Protection.
      1. Select ManageConfigurationNGFW and Prisma Access Device SettingsZones.
      2. Select or Add a Zone.
        If you add a zone:
        • Enter a Name for the zone.
        • Select an Interface Type.
        • Add or Remove Interfaces.
      3. Select or Create a New Zone Protection Profile.
        If you add a new Zone Protection profile:
        • Enter a Name for the profile.
        • (Optional) Add a profile description.
        • Configure Flood, Packet Based Attack, Protocol, or EthernetSGT settings.
      4. Select Reconnaissance and under Items, Enable the scan types to protect against.
      5. For each scan, select an Action.
        If you select Block-IP, you must also configure the Track-By (source or source-and-destination) and Duration options.
      6. For each scan, specify an Interval (Sec).
        This option defines the time interval, in seconds, for detection of the given scan type.
      7. For each scan, specify a Threshold (Events).
        The threshold defines the number of events that must be detected within the specified interval before the specified action triggers.
      8. (Optional) Configure the Source Address Exclusion List.
        Source Address Exclusions are IP addresses that you want to exclude from reconnaissance protection. You can specify up to 20 IP addresses or netmask address objects.
        1. Click Add to create a new entry.
        2. Enter a descriptive Name for the address.
        3. Select an Address Type.
        4. Specify one or more IP Address(es).
      9. Click Add to save the Zone Protection profile.
    2. Save the Zone.
    3. Push Config.

    PAN-OS

    PAN-OS: Prevent attackers from probing your network for vulnerabilities by configuring reconnaissance protection.
    1. Configure Reconnaissance Protection.
      1. Select NetworkNetwork ProfilesZone Protection.
      2. Select a Zone Protection profile, or Add a new profile and enter a Name for it.
      3. On the Reconnaissance Protection tab, select the scan types to protect against.
      4. Select an Action for each scan.
        If you select Block IP, you must also configure the Track By (source or source-and-destination) and Duration options.
      5. Set the Interval in seconds. This option defines the time interval for port scan, host sweep, and IP protocol scan detection.
      6. Set the Threshold for reconnaissance events. The threshold defines the number of port scan, host sweep, or IP protocol scan events that need to occur within the specified time interval to trigger an action.
      7. (Optional) Configure a Source Address Exclusion.
        Source Address Exclusions are IP addresses that you want to exclude from reconnaissance protection. You can specify up to 20 IP addresses or netmask address objects.
        Exclude only IP addresses for trusted internal groups that perform vulnerability testing.
        1. Add the address you want to exclude.
        2. Enter a descriptive Name for the address.
        3. For Address Type, select either IPv4 or IPv6, and then select an address object or enter one manually.
        4. Click OK.
      8. Click OK to save the Zone Protection profile.
      9. Commit your changes.
    2. Apply the Zone Protection profile to the appropriate zones, including zones that connect to the internet.

    © 2024 Palo Alto Networks, Inc. All rights reserved.