Enable configures
the profile to enable protection against TCP port scans.
UDP Port Scan
Enable configures
the profile to enable protection against UDP port scans.
Host Sweep
Enable configures
the profile to enable protection against host sweeps.
Action
Action that the system will take in response
to the corresponding reconnaissance attempt:
Allow—Permits the
port scan or host sweep reconnaissance.
Alert—Generates an alert for each
port scan or host sweep that matches the threshold within the specified
time interval (the default action).
Block—Drops all subsequent packets
from the source to the destination for the remainder of the specified
time interval.
Block IP—Drops all subsequent packets
for the specified Duration, in seconds (range
is 1-3,600). Track By determines whether
to block source or source-and-destination traffic. For example, block
attempts above the threshold number per interval that are from a
single source (more stringent), or block attempts that have a source
and destination pair (less stringent).
Block
all Reconnaissance scans except your internal vulnerability testing
scans.
Interval (sec)
Time interval, in seconds, for TCP or UDP
port scan detection (range is 2-65,535; default is 2).
Time
interval, in seconds, for host sweep detection (range is 2-65,535;
default is 10).
Threshold (events)
Number of scanned port events or host sweep
events within the specified time interval that triggers the Action
(range is 2-65,535; default is 100).
Use the default
event threshold to log a few packets for analysis before blocking
reconnaissance attempts.
Source Address Exclusion
IP addresses that you want to exclude from reconnaissance
protection. The list supports a maximum of 20 IP addresses or Netmask
address objects.
Name—Enter
a descriptive name for the address to exclude.
Address Type—Select IPv4 or IPv6 from
the drop-down.
Address—Select an address or address
object from the drop-down or enter one manually.
Exclude only IP addresses for trusted internal
groups that perform vulnerability testing.
