topic Re: zone protection in General Topics

zone protection

Westcon2 — Fri, 10 Oct 2014 19:07:47 GMT

How do we block synfin port scan.

Re: zone protection

ssharma — Fri, 10 Oct 2014 19:14:28 GMT

You can configure zone protection on your outside zone or zone that you are more concerned about.

You can define various action. In above example, I have asked firewall to block source IP for 300 secs if that ip is trying to scan the tcp port. You can customize the alert and threshold as well. Hope this helps. Thank you.

Re: zone protection

bat — Fri, 10 Oct 2014 19:17:27 GMT

Westcon2

Have you tried the syn flood or TCP port scan in zone protection profile ? Is it not working for synfin port scan ?

Re: zone protection

Westcon2 — Fri, 10 Oct 2014 19:33:26 GMT

I have applied zone protection policy and it is set on alert.

I tried to port scan using nmap. however i could not see any hits using the command show counter global name flow_parse_l4_tcpsynfin.

Is there any way to see the zone protection logs.

Re: zone protection

hshah — Fri, 10 Oct 2014 19:34:50 GMT

Hi Westcon,

Zone Protection has ability to block port scan. You can find all relevant configuration in following link.

Understanding DoS Protection

Let us know for additional granular information.

Regards,

Hardik Shah

Re: zone protection

hshah — Fri, 10 Oct 2014 19:36:02 GMT

Hi Westcon,

You can find zone protection logs in Monitor > Threat.

It seems Nmap may not be crossing zone protection scan limit/second.

Would you share zone protection configuration along with Nmp scan rate ?

Regards,

Hardik Shah

Re: zone protection

bat — Fri, 10 Oct 2014 19:36:33 GMT

Do you see any drops in the output of this command:

show zone-protection zone <zone-name>

Re: zone protection

Westcon2 — Fri, 10 Oct 2014 19:47:46 GMT

I am using two firewalls. once is having an old setup and the other recently deployed.

The out put of the command show counter global name flow_parse_l4_tcpsynfin is as below.

My question is that does the firewall have the ability to drop the synfin packets automatically or do we need to apply the zp or dos policy.

Below is the output

Firewall 1 without zone protection

Name: flow_parse_l4_tcpsynfin

Value: 5709

Severity: Drop

Category: flow

Aspect: parse

Desciption: Packets dropped: invalid TCP flags (SYN+FIN+*)

Firewall 2

admin@Lab-Firewall> show counter global name flow_parse_l4_tcpsynfin

Name: flow_parse_l4_tcpsynfin

Value: 0

Severity: Drop

Category: flow

Aspect: parse

Desciption: Packets dropped: invalid TCP flags (SYN+FIN+*)

Re: zone protection

hshah — Fri, 10 Oct 2014 19:49:15 GMT

Hi Westcon,

Provide us following output. Whic will list all kind of latest drop.

1. Execute command "show counter global filter delta sev drop"

2. Run NMAP

3. Run again "show counter global filter delta sev drop"

Provide us output for 3rd pointer

Regards,

Hardik Shah

Re: zone protection

ssharma — Fri, 10 Oct 2014 19:56:26 GMT

Hi Westcon2,

If zone protection is triggered, you can see it under threat logs.

If you have flood attacks, you will Flood attacks warning as well.

Re: zone protection

bat — Fri, 10 Oct 2014 20:01:13 GMT

I think the syn+fin packets should drop without zone protection or DoS policy in place.

Re: zone protection

Westcon2 — Fri, 10 Oct 2014 20:16:52 GMT

Can we confirm if synfin are dropped by default without zp and Dos policy.

Thank You Sharma and Hardik. I have checked the zp in the threat logs. It is same what you showed in the screen shot.

Re: zone protection

ssharma — Fri, 10 Oct 2014 20:31:37 GMT

Any non-syn is dropped by default. But if an attack occurs and firewall is bombarded with syn-fin packets, it will open a session with syn packet and kill the session with fin. If the rate is excessive for syn-fin then cpu might go really high. So zone protection will help in that scenario. Hope this helps.

Re: zone protection

ttanzi — Mon, 22 Dec 2014 20:19:05 GMT

Does anyone now if there is a way to proactively alert when a port scan has been detected? In the threat logs, I can see the alert of a port scan but the severity level is medium and the alert id is 8001 and you cannot change the severity. We are sending email alerts on all critical threats and we do not want to start sending email alerts on severity of medium as this will generate a lot of noise.

thanks all in advance

Re: zone protection

pulukas — Mon, 22 Dec 2014 21:12:32 GMT

You can follow the procedure in DOC-3779 to fire an email for a specific threat. It does require setting up a specific policy and email profile to fire the alert.

How to Receive Email Threat Notification from the firewall