topic Re: Except Specific IPs from port scan detection / Zone Protection in General Topics

Except Specific IPs from port scan detection / Zone Protection

SDorsey — Tue, 20 May 2014 21:34:24 GMT

I have a highly regulated environment with multiple internal security zones. We need to be able to run our vulnerability scanning solution against servers in separate zones on a routine basis.

It was simple to exempt the scanner's IP from the Threat Prevention stuff (created a new security profile group which alerts on everything instead of blocking, and created a rule in the ACL to match against the scanner IP).

However, the vulnerability scanner is still prevented from completing its job because of zone protection (specifically, port scanning). I would hate to have to disable the zone protection rules or change them to alert EVERY time we wish to run a scan.

Any wonderful ideas?

Re: Except Specific IPs from port scan detection / Zone Protection

nchong — Wed, 21 May 2014 02:40:41 GMT

There is a workaround to do this by creating and zone without any zone protection and use the IPs that you would like to be exempted as the loopback interface IP.

The steps required can be found here.

How to Exempt a Specific IP address from Zone Protection

https://live.paloaltonetworks.com/docs/DOC-3972

Hope this works for you.

Regards,

Narong

Re: Except Specific IPs from port scan detection / Zone Protection

Satish — Wed, 21 May 2014 03:49:23 GMT

Hi Mackwage,

You can apply policy as u like and Mr. Narong is right you can use the same. its help full.....

Regards

Satish

Re: Except Specific IPs from port scan detection / Zone Protection

SDorsey — Wed, 21 May 2014 20:34:07 GMT

Thanks for you reply.

However it does not quite fit the scenario I am after. This seems like it would only work if you opened up one of your PUBLIC IPs. At that, it appears it would open up that public ip to port scanning from anywhere.

All devices in this scenario are internal. There is no NAT. The vulnerablity appliance is internal and has a static IP. We need to be able to scan devices in other "internal" zones.. and would like to open up port scanning from only the source vulnerability scanner.. and no other IPs.

Re: Except Specific IPs from port scan detection / Zone Protection

nchong — Thu, 22 May 2014 06:38:13 GMT

In the example it shows that the external IP is the one that is being exempted. But instead of using the external IP subnet you can use the internal IP subnet as the loopback address.

Re: Except Specific IPs from port scan detection / Zone Protection

AndrewHammond — Fri, 21 Nov 2014 18:54:51 GMT

We experienced a similar challenge and needed to allow our QSVs vulnerability scanners to bypass IDS/IPS and scan unobstructed for vulnerabilities. We achieved this by adding a Security Rule to allow the scanner IPs (no profiles) on TCP.

This eliminated the Scan Interference our QSV scanners were experiencing. This same approach should work internal-to-internal also.

Re: Except Specific IPs from port scan detection / Zone Protection

SDorsey — Wed, 03 Dec 2014 00:54:41 GMT

This can still cause interference as port scans are blocked by the Zone Protection profile which is configured at the zone level and not via an ACL rule.

Re: Except Specific IPs from port scan detection / Zone Protection

AndrewHammond — Wed, 03 Dec 2014 14:49:45 GMT

This was a suggested way to resolve the issue from PA support and it did resolve our specific scan interference issues, but I agree it may not be the end all be all.

Re: Except Specific IPs from port scan detection / Zone Protection

Wenar — Wed, 03 Dec 2014 16:53:37 GMT

I don't see a way to create an exception for one IP-Address or Subnet. The zone protection applies to the whole traffic in this zone. You could deactivate the zone protection and try to add a DoS Protection Rule which is configured like the zone protection.

Re: Except Specific IPs from port scan detection / Zone Protection

mseiler — Fri, 30 Jan 2015 14:57:54 GMT

Hello,

the link is no more accessable....Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here.

Can anyone provide the details or is there another solution ??

Regards

Michael

Re: Except Specific IPs from port scan detection / Zone Protection

PeterT — Mon, 24 Aug 2015 22:25:56 GMT

Echoing last comment as the mentioned DOC URI is gone. Get's old quick my vuln scanners throwing up thousands of alerts each week every time they do a scan across (or in within) the same/different zones.

Re: Except Specific IPs from port scan detection / Zone Protection

santonic — Tue, 25 Aug 2015 06:15:42 GMT

Anyone found a solution to original post? Making an exception for a zone protection is still impossible? Because this is a serious isuue with many customers.

Re: Except Specific IPs from port scan detection / Zone Protection

workarounds — Wed, 26 Aug 2015 19:46:58 GMT

All,

There is a feature request # 1910.

Whitelisting with Zone Protection (Reconnaissance). We have a handful of vulnerability scanners on campus use to scan our hosts and they are getting block by the zone protection profile. We are wondering if there is a feature request for providing a white list to not get block by the zone protection profile.

This FR has been open for at least 2 years. If you are interested, contact your sales person and sales engineer to add your company/name to the FR.

The Last update that I got was, it is been consider in PAN OS 8.0, no confirmation yet.

Re: Except Specific IPs from port scan detection / Zone Protection

Lucky — Thu, 27 Aug 2015 21:28:58 GMT

Hi all,

How about combining two zone protection profiles? One that is aggressive, for the Untrust zone, and one that is permissive for the Trust zone, that will allow your "friendly" IPs to scan. Than create GP gateway for friendly IPs, push them the route towards Trust / DMZ / whatever you are scanning, and sort them out in their own "scanners" zone. Once they start scanning only permissive profile from the Trust zone will be applied to their scans, allowing them to finish the job. They are coming from separate scanners zone thus esily circumventing aggressive blocking profile on the Untrust zone.

Regards

Luciano