https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnossainse-protection/m-p/16068#M11740 <HTML><HEAD></HEAD><BODY><P>You didn't mention what your alert and activate thresholds are set to. One thing you can do is to try lowering these values to lowest possible to ensure that the rule is having the desired affect. If they are then you can increase the values to a more real-world number. But as you mentioned that you are testing, this should help to isolate if things are working as expected. </P><P></P><P>Also to help verify you can look at global counters to ensure the zone protection is working. This is done via CLI with following command.</P><P></P><P>&gt; show counter global filter delta yes | match dos</P><P></P><P>Hope this helps.</P><P>-Richard</P></BODY></HTML> Mon, 25 Mar 2013 19:35:42 GMT Retired Member 2013-03-25T19:35:42Z https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnossainse-protection/m-p/16067#M11739 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I am testing "reconnossainse protection" feature on a PA-200. I built a reconnossainse protection profile over zone protection tab and I mark over "reconnossainse protection" and I checked "tcp port scan", "host sweep" and "udp port scan" (with default settings). I activated zone protection profile on each zone.</P><P></P><P>I am executing "nmap" over a subnet (default zenmap settings) but PA don't detect it as a "port scan". I found PA identify that traffic like "ssl webbrowsing rule". </P><P></P><P>Best regards, </P></BODY></HTML> Mon, 25 Mar 2013 15:24:42 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnossainse-protection/m-p/16067#M11739 ENAGAS 2013-03-25T15:24:42Z https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnossainse-protection/m-p/16068#M11740 <HTML><HEAD></HEAD><BODY><P>You didn't mention what your alert and activate thresholds are set to. One thing you can do is to try lowering these values to lowest possible to ensure that the rule is having the desired affect. If they are then you can increase the values to a more real-world number. But as you mentioned that you are testing, this should help to isolate if things are working as expected. </P><P></P><P>Also to help verify you can look at global counters to ensure the zone protection is working. This is done via CLI with following command.</P><P></P><P>&gt; show counter global filter delta yes | match dos</P><P></P><P>Hope this helps.</P><P>-Richard</P></BODY></HTML> Mon, 25 Mar 2013 19:35:42 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnossainse-protection/m-p/16068#M11740 Retired Member 2013-03-25T19:35:42Z