https://live.paloaltonetworks.com/t5/advanced-threat-prevention/host-sweep/m-p/454736#M1438 <P>Yes I agree with the&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/8083">@ymiyashita</a>&nbsp;it is tricky to get the right balance when applying the zone protection to any trusted zones, especially ones that have user internet traffic behind them as often applications will be trying to connect to any number of endpoints and normally the health of these is decided by pinging a port or an IP,</P><P>For instance PIA or private internet access pings pretty much all it's endpoints constantly to check if they are available and does this even if it is not switched on.</P><P>The only way to apply this is to, over time adjust the levels to the point where you have a baseline of normal volumes and then you can allow for anomalies&nbsp; to activate the protections.</P><P>Hope this helps.</P> Tue, 21 Dec 2021 15:53:11 GMT laurence64 2021-12-21T15:53:11Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/host-sweep/m-p/454370#M1434 <P>Our <STRONG>Zone Protection | Hoist Sweep</STRONG> configuration was blocking Internet connections on some local hosts due to enabled <STRONG>"News and Interests" Windows 10 Toolbar</STRONG>.&nbsp; I hope this helps with troubleshooting.<BR /><BR /></P> Mon, 20 Dec 2021 13:05:05 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/host-sweep/m-p/454370#M1434 tdevic 2021-12-20T13:05:05Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/host-sweep/m-p/454591#M1436 <P>It would depend on how the zone protection is configured. For the traffic from Trust to Untrust, it shouldn't be too strict especially when it's configured with "Block IP" action.<BR />I'd also suggest to check the traffic log or sessions to see what kind traffic is matching with the condition. You may also want to capture packets on the Windows 10 machine with/without "News and Interests" toolbar enabled.</P> <P>&nbsp;</P> <P>For your reference:<BR />How do I analyze alerts for SCAN: Host Sweep (8002)?<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBioCAG" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBioCAG</A></P> <P>&nbsp;</P> Tue, 21 Dec 2021 01:10:11 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/host-sweep/m-p/454591#M1436 ymiyashita 2021-12-21T01:10:11Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/host-sweep/m-p/454736#M1438 <P>Yes I agree with the&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/8083">@ymiyashita</a>&nbsp;it is tricky to get the right balance when applying the zone protection to any trusted zones, especially ones that have user internet traffic behind them as often applications will be trying to connect to any number of endpoints and normally the health of these is decided by pinging a port or an IP,</P><P>For instance PIA or private internet access pings pretty much all it's endpoints constantly to check if they are available and does this even if it is not switched on.</P><P>The only way to apply this is to, over time adjust the levels to the point where you have a baseline of normal volumes and then you can allow for anomalies&nbsp; to activate the protections.</P><P>Hope this helps.</P> Tue, 21 Dec 2021 15:53:11 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/host-sweep/m-p/454736#M1438 laurence64 2021-12-21T15:53:11Z