https://live.paloaltonetworks.com/t5/general-topics/prevent-scan/m-p/22164#M16156 <HTML><HEAD></HEAD><BODY><P>Hello soporteseguridad,</P><P></P><P><SPAN>I would configure reconnaissance protection via zone protection profile to protect your to detect and block host sweep , TCP and UDP scans.</SPAN></P><P></P><P>FYI, zone protection applies to incoming traffic. That means, if you want to protect DMZ&nbsp; then you should apply zone-protection on the Untrust zone (facing Internet) and the Trust zone (<SPAN style="font-size: 10pt; line-height: 1.5em;">facing your LAN - if you wish to protect from inside threats as well ( for example an overtaken client is being used to DOS your DMZ devices))</SPAN></P><P></P><P>Here are some documents which will help is configuring it:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3094">Threat Prevention Deployment Tech Note</A>&nbsp; (Page 41-42)</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5078">Understanding DoS Protection</A>(Page 10-11)</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6132">Zone Protection Profile not Engaging During Penetration Scan</A></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Hope that helps!</SPAN></P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Mon, 11 Nov 2013 14:39:00 GMT kadak 2013-11-11T14:39:00Z https://live.paloaltonetworks.com/t5/general-topics/prevent-scan/m-p/22163#M16155 <HTML><HEAD></HEAD><BODY><P><SPAN lang="en"><SPAN class="hps">HI,</SPAN></SPAN></P><P><SPAN lang="en"><SPAN class="hps"><BR /></SPAN></SPAN></P><P><SPAN lang="en"><SPAN class="hps">we have</SPAN> <SPAN class="hps">detected that we</SPAN> <SPAN class="hps">are suffering</SPAN> <SPAN class="hps">a scan of</SPAN> <SPAN class="hps">all servers in</SPAN> <SPAN class="hps">our </SPAN><SPAN class="hps">DMZ</SPAN>, <SPAN class="hps">the</SPAN> <SPAN class="hps">IP source</SPAN> <SPAN class="hps">is</SPAN> <SPAN class="hps">151.236.14.140</SPAN>, <SPAN class="hps">on port 443</SPAN>.</SPAN></P><P><SPAN lang="en"><SPAN class="hps"><BR /></SPAN></SPAN></P><P><SPAN lang="en"><SPAN class="hps">How can we</SPAN> <SPAN class="hps">avoid this kind of attack or prevent it?</SPAN><SPAN>?</SPAN></SPAN></P><P><SPAN lang="en"><SPAN><BR /></SPAN></SPAN></P><P><SPAN lang="en"><SPAN>Thanks<BR /></SPAN></SPAN></P></BODY></HTML> Mon, 11 Nov 2013 13:35:25 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-scan/m-p/22163#M16155 soporteseguridad 2013-11-11T13:35:25Z https://live.paloaltonetworks.com/t5/general-topics/prevent-scan/m-p/22164#M16156 <HTML><HEAD></HEAD><BODY><P>Hello soporteseguridad,</P><P></P><P><SPAN>I would configure reconnaissance protection via zone protection profile to protect your to detect and block host sweep , TCP and UDP scans.</SPAN></P><P></P><P>FYI, zone protection applies to incoming traffic. That means, if you want to protect DMZ&nbsp; then you should apply zone-protection on the Untrust zone (facing Internet) and the Trust zone (<SPAN style="font-size: 10pt; line-height: 1.5em;">facing your LAN - if you wish to protect from inside threats as well ( for example an overtaken client is being used to DOS your DMZ devices))</SPAN></P><P></P><P>Here are some documents which will help is configuring it:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3094">Threat Prevention Deployment Tech Note</A>&nbsp; (Page 41-42)</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5078">Understanding DoS Protection</A>(Page 10-11)</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6132">Zone Protection Profile not Engaging During Penetration Scan</A></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Hope that helps!</SPAN></P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Mon, 11 Nov 2013 14:39:00 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-scan/m-p/22164#M16156 kadak 2013-11-11T14:39:00Z https://live.paloaltonetworks.com/t5/general-topics/prevent-scan/m-p/22165#M16157 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">soporteseguridad</SPAN>,</P><P></P><P>If we know the source IP then there is no problem we can directly create a security rule sourcing the IP and destined to Dmz servers for all apps and ports.</P><P>We can further use Scan prevention in Zone protection profile and apply it to the right zones.</P><P><IMG alt="zpp.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9706_zpp.PNG.png" style="width: 620px; height: 187px;" /></P><P>We can customize the action and change the interval and so on. Once set we can see the logs by running the command as indicated in below doc.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3103">How to Verify if Zone Protection is Working</A></P><P></P><P>Thanks</P></BODY></HTML> Mon, 11 Nov 2013 15:58:25 GMT https://live.paloaltonetworks.com/t5/general-topics/prevent-scan/m-p/22165#M16157 Phoenix 2013-11-11T15:58:25Z