Focus

Configure Reconnaissance Protection

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure Zone Protection to Increase Network Security

Configure Packet Based Attack Protection

Configure Reconnaissance Protection

Prevent attackers from probing your network for vulnerabilities by configuring reconnaissance protection for IP protocol scan, UDP and TCP scans, and host sweeps.

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS or Panorama Managed)	For cloud-managed NGFWs: AIOps for NGFW Premium

Malicious actors use various scanning techniques, including port scans (TCP and UDP), host sweeps

, and IP protocol scans,

to identify and exploit network vulnerabilities. To protect your network against these scans, configure the Reconnaissance Protection settings of a Zone Protection profile. For each scan type, you will specify an action and the conditions that trigger the action. For example, you can block
subsequent packets from an untrusted source if the firewall detects 1000

IP protocol

scan events from that source within 60
seconds.

The following actions are supported for each scan:

Allow
—The firewall allows the port scan, host sweep

, or IP protocol scan

reconnaissance to continue.

(Default) Alert
—The firewall generates an alert for each port scan, host sweep

, or IP protocol scan

that matches the configured threshold within the specified time interval.

Block
—The firewall drops all subsequent packets from the source to the destination for the remainder of the specified time interval.

Block IP
—The firewall drops all subsequent packets for the specified

Duration

, in seconds (the range is 1-3,600).

Track By

determines whether the firewall blocks source or source-and-destination traffic.

Cloud Management

PAN-OS

Cloud Management

Configure reconnaissance protection for IP protocol scan, UDP and TCP scans, and host sweeps on Strata Cloud Manager.

You can configure protection against IP protocol scan, UDP or TCP scans, or host sweeps for next-generation firewalls managed with Strata Cloud Manager.

Configure Reconnaissance Protection.

Select

Manage

Configuration

NGFW and Prisma Access

Device Settings

Zones

Select or

Add a Zone

If you add a zone:

Enter a

Name

for the zone.

Select an

Interface Type

Add

Remove

Interfaces.

Select or

Create a New

Zone Protection Profile.

If you add a new Zone Protection profile:

Enter a

Name

for the profile.

(Optional) Add a profile description.

Configure

Flood

Packet Based Attack

Protocol

, or

EthernetSGT

settings.

Select

Reconnaissance

and under Items,

Enable

the scan types to protect against.

For each scan, select an

Action

If you select

Block-IP

, you must also configure the

Track-By

(source or source-and-destination) and

Duration

options.

For each scan, specify an

Interval (Sec)

This option defines the time interval, in seconds, for detection of the given scan type.

For each scan, specify a

Threshold (Events)

The threshold defines the number of events that must be detected within the specified interval before the specified action triggers.

(Optional) Configure the Source Address Exclusion List.

Source Address Exclusions are IP addresses that you want to exclude from reconnaissance protection. You can specify up to 20 IP addresses or netmask address objects.

Click

Add

to create a new entry.

Enter a descriptive

Name

for the address.

Select an

Address Type

Specify one or more

IP Address(es)

Click

Add

to save the Zone Protection profile.

Save

the Zone.

Push Config

PAN-OS

PAN-OS: Prevent attackers from probing your network for vulnerabilities by configuring reconnaissance protection.

Configure Reconnaissance Protection.

Select

Network

Network Profiles

Zone Protection

Select a Zone Protection profile, or

Add

a new profile and enter a

Name

for it.

On the Reconnaissance Protection tab, select the scan types to protect against.

Select an

Action

for each scan.

If you select Block IP, you must also configure the

Track By

(source or source-and-destination) and

Duration

options.

Set the

Interval

in seconds. This option defines the time interval for port scan, host sweep

, and IP protocol scan

detection.

Set the

Threshold

for reconnaissance events. The threshold defines the number of port scan, host sweep

, or IP protocol scan

events that need to occur within the specified time interval to trigger an action.

(Optional) Configure a Source Address Exclusion.

Source Address Exclusions are IP addresses that you want to exclude from reconnaissance protection. You can specify up to 20 IP addresses or netmask address objects.

Exclude only IP addresses for trusted internal groups that perform vulnerability testing.

Add

the address you want to exclude.

Enter a descriptive

Name

for the address.

For Address Type, select either

IPv4

IPv6

, and then select an address object or enter one manually.

Click

to save the Zone Protection profile.

Commit

your changes.

Apply the Zone Protection profile to the appropriate zones, including zones that connect to the internet.

Configure Zone Protection to Increase Network Security

Configure Packet Based Attack Protection

Next-Generation Firewall Docs

Configure Reconnaissance Protection

Next-Generation Firewall Docs

Configure Reconnaissance Protection

Cloud Management

PAN-OS

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner