https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/327253#M83289 <P>I think whatever you get to see in best practice document of PA ( which I hope you followed ) , then that is sufficient for now .&nbsp;</P><P>Rest you can customize at later stage once you know the effects of zone protection on your live traffic.</P> Sun, 10 May 2020 13:49:40 GMT KunalChopra 2020-05-10T13:49:40Z https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/327078#M83259 <P>Hi,</P><P>&nbsp;</P><P>Are there any best practice settings for the reconnaissance portion of the zone protection profile.</P><P>&nbsp;</P><P>I see the default has the below.&nbsp; Is it recommended to leave as defaults or does someone have a better recommendation?</P><P>&nbsp;</P><P>TCP Port scan 100 events within 2 seconds<BR />UDP Port scan 100 events within 2 seconds<BR />Host Sweep 100 events within 10 seconds</P> Fri, 08 May 2020 19:07:21 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/327078#M83259 MikeC 2020-05-08T19:07:21Z https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/327253#M83289 <P>I think whatever you get to see in best practice document of PA ( which I hope you followed ) , then that is sufficient for now .&nbsp;</P><P>Rest you can customize at later stage once you know the effects of zone protection on your live traffic.</P> Sun, 10 May 2020 13:49:40 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/327253#M83289 KunalChopra 2020-05-10T13:49:40Z https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/327341#M83308 <P>Interestingly enough, the best practice guide mentions to leave the default threshold, but there is a video from Palo Alto regarding BPA and the threshold is different than the default</P><P>&nbsp;</P><P><A href="https://www.youtube.com/watch?v=QAuJyboFPy8" target="_blank">https://www.youtube.com/watch?v=QAuJyboFPy8</A></P> Mon, 11 May 2020 13:26:17 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/327341#M83308 MikeC 2020-05-11T13:26:17Z https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/328421#M83463 <P>Hello,</P><P>Zone protection feature should be handled carefully every feature requires uniqe apporach, for me i am using with block ip with duration 1Hour+ option against bad guys.</P><P>İnstead of using a general zone protection i choose to implement every single zone an individual zone protection profile.</P><P>For startup some higher thresholds rather than default can be used with "alert" action.<BR />After creation of profile with desired thresholds, monitor alerts on threat log it would appear as "scan". Enabling extensive logging feature considerable.<BR />Zone protection works on ingress zone only.<BR />If every zone has a zone protection profile keep an eye on email servers.<BR />Adjust threshold levels as "scan" attacks count. My solution was checking threat logs when i see a "scan" threat than i check traffic logs and counting connections corresponing source ip to identify scanning timing.</P> Sun, 17 May 2020 11:14:25 GMT https://live.paloaltonetworks.com/t5/general-topics/zone-protection-reconnaissance/m-p/328421#M83463 upelister 2020-05-17T11:14:25Z