topic Re: Allow remote host to port scan in General Topics

Allow remote host to port scan

mcocat — Fri, 27 Feb 2015 19:37:10 GMT

I am looking to allow a single host on the outside to run an NMAP port scan. What can I do to allow this host to get an accurate picture from the outside without giving additional access that may skew the results? In addition I would need it to bypass vulnerability protection (TCP Scan 8001). Looking at my scan attempts I see the application type come back as Traceroute, non-applicable, lpd, dns, icmp and ssh. I am open to ideas, thank you!

Re: Allow remote host to port scan

hshah — Fri, 27 Feb 2015 20:24:30 GMT

Hi Mcocat,

Lets say user X is on outside network. And It wants to do scanning for user Y and Z. Than allow "any" "any" access to user X to user Y&Z. Make sure you dont apply and profile to rule, This will by pass all type of scanning on the firewall.

Now create another rule for port 8001. Configure appropriate source and destination. In the rule do not specify vulnerability profile. Let me know if this helps.

Regards,

Hardik Shah

Re: Allow remote host to port scan

mcocat — Fri, 27 Feb 2015 21:34:17 GMT

I don't want to grant more access than is currently available though. I want to see the true picture of what is open from the outside. I just want to bypass the scan threat that is being blocked. the threat id is 8001, not the port I am trying to access.

Re: Allow remote host to port scan

jthakur — Sat, 28 Feb 2015 03:01:39 GMT

Here is the explanation of TCP Scan settings in Zone Protection profile.

Interval (sec) - Enter the time interval for port scans and host sweep detection (seconds).

Threshold (events) - Enter the number of scanned ports within the specified time interval that will trigger this protection type (events).

Keep the scanning rate below values configured for above two parameters..

Try this -> nmap -sS hostname --max-rate 1

Or a very slow scanning which will never trigger the alarm TCP Scan 8001.

nmap -sS hostname --max-rate 0.1

For more details check nmap's guide -> Timing and Performance

Re: Allow remote host to port scan

hshah — Sat, 28 Feb 2015 14:53:54 GMT

Hi Mcoat,

In that case create a policy which allows port 8001 traffic between specific source and destination. Do not apply any profiles to it. And Firewall will not check threat for it.

If you want to configure profile due to security reasons than create an exception for 8001. Please refer bellow document for the same.

Add a Vulnerability Exception Specifically Based Upon Source and Destination IP Address

Regards,

Hardik Shah

Re: Allow remote host to port scan

pulukas — Mon, 02 Mar 2015 01:33:56 GMT

Unfortunately, you can't white list an ip address for these scans. The TCP Scan 8001 is generated by your Zone Protection profile.

network--Network Profiles--Zone Protection

These only have actions for alert or block variations globally for the entire zone to which the policy is applied. you cannot override this by a specific security policy or other means.

I think your best bet is to turn the action to alert, as show above, during your test and restore the original setting afterwards.