topic Re: Zone protection for scan up / ports from internet ( untrust) in General Topics

Zone protection for scan up / ports from internet ( untrust)

AudioCodes — Sun, 01 Dec 2019 19:17:16 GMT

Hi ,

Anyone enable zone protection for protect and drop scan ip and ports from untrust / internet to DMZ or untrust ?

i enabled it but I have alerts only from DMZ to untrust and not from untrust to DMZ or untrust to untrust.

Re: Zone protection for scan up / ports from internet ( untrust)

BPry — Mon, 02 Dec 2019 21:38:23 GMT

Have you actually toned it for your environment. The thing with ZPP is that they need to be customized to your environment; the defaults won't do you any good.

Re: Zone protection for scan up / ports from internet ( untrust)

BruceBennett — Tue, 03 Dec 2019 02:07:27 GMT

@BPry

How do you determine the right settings, are there general guidelines or some reference available?

Re: Zone protection for scan up / ports from internet ( untrust)

BPry — Tue, 03 Dec 2019 02:44:20 GMT

@BruceBennett,

When it comes to flood protection you need to adjust the alarm rate based off of the information you can gather through a netflow capture, or you can simply take a guess and adjust as needed. Just ensure that you are only lowering the alarm rate and not the activate and maximum values and you'll only trigger a log when that rate is hit.

For Reconnaissance Protection you can set the action to alert and mess around with the interval/threshold value as you see fit. Again, as long as it is only set to alert no negative action will take place.