Reconnaissance Protection

  • Network > Network Profiles > Zone Protection > Reconnaissance Protection
The following settings define reconnaissance protection:
Zone Protection Profile Settings—Reconnaissance Protection
Configured In
Description
TCP Port Scan
Network
Network Profiles
Zone Protection
Reconnaissance Protection
Enable
configures the profile to enable protection against TCP port scans.
UDP Port Scan
Enable
configures the profile to enable protection against UDP port scans.
Host Sweep
Enable
configures the profile to enable protection against host sweeps.
Action
Action that the system will take in response to the corresponding reconnaissance attempt:
  • Allow
    —Permits the port scan or host sweep reconnaissance.
  • Alert
    —Generates an alert for each port scan or host sweep that matches the threshold within the specified time interval (the default action).
  • Block
    —Drops all subsequent packets from the source to the destination for the remainder of the specified time interval.
  • Block IP
    —Drops all subsequent packets for the specified
    Duration
    , in seconds (range is 1-3,600).
    Track By
    determines whether to block source or source-and-destination traffic. For example, block attempts above the threshold number per interval that are from a single source (more stringent), or block attempts that have a source and destination pair (less stringent).
Block all Reconnaissance scans except your internal vulnerability testing scans.
Interval (sec)
Time interval, in seconds, for TCP or UDP port scan detection (range is 2-65,535; default is 2).
Time interval, in seconds, for host sweep detection (range is 2-65,535; default is 10).
Threshold (events)
Number of scanned port events or host sweep events within the specified time interval that triggers the Action (range is 2-65,535; default is 100).
Use the default event threshold to log a few packets for analysis before blocking reconnaissance attempts.
Source Address Exclusion
IP addresses whitelisted from the reconnaissance protection. The list supports a maximum of 20 IP addresses or Netmask address objects.
  • Name: Enter a descriptive name for the address to exclude.
  • Address Type: Select IPv4 or IPv6 from the drop-down.
  • Address: Select an address or address object from the drop-down or enter one manually.
Whitelist only IP addresses for trusted internal groups that perform “white hat” vulnerability testing.

Related Documentation