Palo Alto Networks now offers reconnaissance protection for IP protocol scans. IP protocol scans cycle through IP protocol numbers to determine the IP protocols and services supported by target machines. Malicious actors use this scanning technique to identify and exploit open and insecure protocols. This feature enables your firewall to detect and block, allow, or alert on these scans. For example, you can configure the firewall to drop subsequent packets from a host exhibiting behavior consistent with IP protocol scans.

You can configure protection against IP protocol scans in the Reconnaissance Protection settings of a Zone Protection profile. The firewall identifies IP protocol scans based on the specified number of scan events that occurs within a specified interval. If necessary, you can exclude the IP addresses of trusted internal groups performing vulnerability testing from reconnaissance protection. Details of each detected scan are available in the Threat logs.