https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/133405#M47211 Threshold is the number of events in the interval amount of time<BR />So 100 hosts touched in 2 seconds for example<BR />Zone protection is global for all traffic hitting a destination zone<BR /><BR />If you need to be more granular, to protect a single server's resources for example, you should use a DOS policy<BR /><BR />If you set action alert instead of block, you will simply see a log entry for each 'scan' but no action is taken Sun, 18 Dec 2016 19:58:10 GMT reaper 2016-12-18T19:58:10Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/132790#M47124 <P>Hi,</P><P>Under threat detection, scan host sweep &nbsp;droped some traffic. And under the rules it did not show anything .</P><P>What does it mean</P><P>Thanks</P> Wed, 14 Dec 2016 14:33:21 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/132790#M47124 sib2017 2016-12-14T14:33:21Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/132959#M47138 <P>Hi,</P><P>&nbsp;</P><P>Do you have a zone protection profile configured and you have configured an action for the host sweep scan?</P><P>&nbsp;</P><P>Best Regards,</P><P>&nbsp;</P><P>Fozail</P> Thu, 15 Dec 2016 06:25:26 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/132959#M47138 fozail 2016-12-15T06:25:26Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/132971#M47142 <P>You probably have zone protection enabled</P> <P>'host sweep' is a reconnaissance attack where a host 'scans' several of your ip addresses</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zone protection.png"><img src="https://live.paloaltonetworks.com/skins/images/B81F31A7B44084F326ABA63EFCA50C9D/responsive_peak/images/image_not_found.png" alt="zone protection.png" /></span></P> Thu, 15 Dec 2016 08:12:18 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/132971#M47142 reaper 2016-12-15T08:12:18Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/133363#M47204 <P>Hi,</P><P>what is the interval and Threshold here .</P><P>how a zone protection profile integrated with a zone ?</P><P>for example if we have zone trust,server , how we assign the profile to the zone .</P><P>What if we change &nbsp;from the block to alert ? .</P><P>Thanks</P> Sun, 18 Dec 2016 13:04:44 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/133363#M47204 sib2017 2016-12-18T13:04:44Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/133405#M47211 Threshold is the number of events in the interval amount of time<BR />So 100 hosts touched in 2 seconds for example<BR />Zone protection is global for all traffic hitting a destination zone<BR /><BR />If you need to be more granular, to protect a single server's resources for example, you should use a DOS policy<BR /><BR />If you set action alert instead of block, you will simply see a log entry for each 'scan' but no action is taken Sun, 18 Dec 2016 19:58:10 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/133405#M47211 reaper 2016-12-18T19:58:10Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/134647#M47374 <P>Hi Reaper,</P><P>&nbsp;</P><P>As far as I remember "Zone Protection Profile" applies on source zone not on destination zone, correct me if I am wrong.</P><P>&nbsp;</P><P>Best Regards,</P><P>&nbsp;</P><P>Fozail</P> Tue, 27 Dec 2016 11:58:14 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/134647#M47374 fozail 2016-12-27T11:58:14Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/134659#M47377 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16044">@fozail</a>,</P> <P>&nbsp;</P> <P><SPAN>Zone protection profile is designed to provide broad-based protection at the ingress zone (i.e. the zone where traffic enters the firewall) and is&nbsp;not designed to protect a specific end host or traffic going to a particular destination zone. &nbsp; Use the DoS protection rulebase to match on a specific zone, interface, IP address or user.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Cheers !</SPAN></P> <P><SPAN>-Kim.</SPAN></P> Tue, 27 Dec 2016 14:28:33 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/134659#M47377 kiwi 2016-12-27T14:28:33Z https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/134660#M47378 <P>Hi Kim,</P><P>&nbsp;</P><P>Yes, you are correct. I got confused as per other description where it is mentioned that "zone protection is for destination zone".</P><P>&nbsp;</P><P>Thank you for the clarification.</P> Tue, 27 Dec 2016 15:02:24 GMT https://live.paloaltonetworks.com/t5/general-topics/scan-host-sweep/m-p/134660#M47378 fozail 2016-12-27T15:02:24Z