topic NMAP Scan, PA show open ports in General Topics

NMAP Scan, PA show open ports

BizBo — Sun, 07 Mar 2021 13:20:09 GMT

Hello experts!

When I scan my firewall from the internet no matter what I try I still get this..

PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 64
80/tcp open http syn-ack ttl 64
443/tcp open https syn-ack ttl 64
8080/tcp open http-proxy syn-ack ttl 64

I have setup an untrust-untrust (app) any (application) any and to drop rule at the top of the security. (limited to the nmap scanning ip). I have set the ZP to RED but the firewall still says it has ports open.

I am stuck. Any advice how to stop the PA doing this?

Darren

Re: NMAP Scan, PA show open ports

aleksandar.astardzhiev — Mon, 08 Mar 2021 12:29:44 GMT

Hi @BizBo

Are you scanning the dedicated management IP or one of the dataplane interfaces.

Do you have any destination NAT that is refering to the IP address you are scanning?

In the deny rule you have configured, you mentioned you have select any application, but what you have apply for services?

Do you have interface management profile or GlobalProtect applied on this interface?

- If you are scanning the dedicated mgmt inteface not rule will have effect - unless your routing is not forwarding the mgmt traffic over the firewall itself. If you mgmt interface is directly connected to public network, no security rule is applied. You can only use "permit-ip"

- If the IP your are scanning in used in destination NAT rule (or in bi-directional NAT), the actual security rule that will filter traffic to it must have the post-nat destination zone. So your untrust-untrust will not actually match

- If you deny any application, but using default ports you esentially block only "known applications on default ports". Firewall will still allow the initial packets (like tcp-hand-shake), because it needs to detect the application to understand which application it is and if it use its default ports. Proper way to define "deny rule" would be to use "any app" and "any service"

Re: NMAP Scan, PA show open ports

BizBo — Mon, 08 Mar 2021 13:28:21 GMT

Hello @aleksandar.astardzhiev

its the untrust on the dataplane,

No the IP is not referenced as this is an Azure VM which I forgot to add.

Yes the service is set to ANY

Re: NMAP Scan, PA show open ports

aleksandar.astardzhiev — Mon, 08 Mar 2021 13:57:09 GMT

Hey @BizBo

Any interface management profile or GlobalProtect portal/gateway assiged on this interface?

Sorry, but you are loosing me with the Azure... I don't experiance with public clouds so I am little confused why the firewall will even listen on first place.

Anyway if it is dataplane interface traffic should definately pass via the security policy, can share your exact configuration for the deny rule?

Re: NMAP Scan, PA show open ports

OtakarKlier — Mon, 08 Mar 2021 22:10:24 GMT

Hello,

When I create a scanning policy on the firewall, I dont assign any security profiles. Then on the scanner I set it to only allow only 1 connection per attempt. What this does is prevent the scan form looking like a major probe to the firewall. You might have to tweak the settings a bit but it'll work out for you. Also please dont make your scans authenticated when scanning external interfaces/etc.

Regards,