Next-Generation Firewall
Configure Reconnaissance Protection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Reconnaissance Protection
Defend your zones against port scans and host sweeps.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use This? | What Do I Need? |
---|---|
|
One of these:
|
Reconnaissance activities are often preludes
to a network attack. You can configure a Zone Protection profile
to defend your zones against port scans host sweeps. You can use
reconnaissance tools for legitimate purposes such as pen testing
of network security or the strength of the firewall and specify
IP addresses or netmask address objects to exclude from reconnaissance
protection so that your internal IT department can conduct pen tests
to find and fix network vulnerabilities.
You can set the action
the firewall takes when reconnaissance traffic, excluding pen testing
traffic, exceeds the configured thresholds.
- Log in to Strata Cloud Manager.Select ManageConfigurationSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.Navigate to the Zone Protection Profiles and Add Profile.Enter a descriptive Name.(Optional) Enter a Description.Select Reconnaissance.Enable one or more scan types to protect against (TCP Port Scan, Host Sweep, and UDP Port Scan).Select the Action for each scan.
- Allow—The firewall allows the port scan or host sweep reconnaissance to continue.
- Alert (default)—The firewall generates an alert for each port scan or host sweep that matches the configured threshold within the specified time interval.
- Block—The firewall drops all subsequent packets from the source to the destination for the remainder of the specified time interval.
- Block IP—The firewall drops all subsequent packets for the specified Duration, in seconds (range is 1—3,600). You must also configure the Track By, which determines whether the firewall blocks source or source-and-destination traffic.
Set the Interval in seconds to define the time interval for port scan and host sweep detection.Set the Threshold to define the number of pot scan events or hot sweeps that occur within the configured Interval that triggers an action.(Optional) Configure Source Address Exclusion.- Add an entry to add one or more IP addresses to the Source Address Exclusion List.Enter a descriptive Source Address Exclusion entry name.Set the Address Type to IPv4.Select one or more IP Address(es).Save.