Configure Reconnaissance Protection

Configure one of the following Reconnaissance Protection actions for the firewall to take in response to the corresponding reconnaissance attempt:
  • Allow—The firewall allows the port scan or host sweep reconnaissance to continue.
  • Alert—The firewall generates an alert for each port scan or host sweep that matches the configured threshold within the specified time interval. Alert is the default action.
  • Block—The firewall drops all subsequent packets from the source to the destination for the remainder of the specified time interval.
  • Block IP—The firewall drops all subsequent packets for the specified Duration, in seconds (the range is 1-3,600). Track By determines whether the firewall blocks source or source-and-destination traffic.
  1. Configure Reconnaissance Protection.
    1. Select NetworkNetwork ProfilesZone Protection.
    2. Select a Zone Protection profile or Add a new profile and enter a Name for it.
    3. On the Reconnaissance Protection tab, select the scan types to protect against.
    4. Select an Action for each scan. If you select Block IP, you must also configure Track By (source or source-and-destination) and Duration.
    5. Set the Interval in seconds. This options defines the time interval for port scan and host sweep detection.
    6. Set the Threshold. The threshold defines the number of port scan events or host sweeps that occurs within the interval configured above that triggers an action.
  2. (Optional) Configure a Source Address Exclusion.
    1. On the Reconnaissance Protection tab, Add a Source Address Exclusion.
      1. Enter a descriptive Name for the whitelisted address.
      2. Set the Address Type to IPv4 or IPv6 and then select an address object or enter an IP address.
      3. Click OK.
    2. Click OK to save the Zone Protection profile.
    3. Commit your changes.

Related Documentation