https://live.paloaltonetworks.com/t5/general-topics/safe-port-scanning/m-p/419036#M93743 <P>Hello,</P><P>You can add the source IP of the scanner as an Address Exclusion in the zone protection profile. The other thing I have done in the past is slow the scanner down, i.e. only uses 1 check at a time.</P><P>&nbsp;</P><P>Regards,</P> Tue, 13 Jul 2021 17:27:10 GMT OtakarKlier 2021-07-13T17:27:10Z https://live.paloaltonetworks.com/t5/general-topics/safe-port-scanning/m-p/418832#M93726 <P>Hi folks,</P><P>&nbsp;</P><P>When I perform a nmap port scan on my IP range protected by Palo Alto Firewall, almost every port responded to SYN scan.</P><P>&nbsp;</P><P>This is a known issue, as I found:</P><P>Port scan report shows all TCP ports are open</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS</A></P><P>&nbsp;</P><P>If I want to successfully perform a port scan, the only solution seems to be to disable SYN flood protection.</P><P>Do anyone know if there is anyway to "whitelist" a source IP, so a particular IP can perform port scan without interference from the flood protection component, but still enable flood protection to the general public?</P><P>&nbsp;</P><P>I have been told that Palo Alto tech support informed us that there is no way to "whitelist" a source IP for port scan, and the only resolutions are:</P><OL><LI>Disable SYN flood protection.</LI><LI>Change the Action from SYN Cookie to Random Early Drop.</LI><LI>Increase the threshold for activation.</LI></OL><P>I just wanted to pick the brains of the community to see if there is any other way to perform port scan on the firewall without disabling flood protection completely.</P> Tue, 13 Jul 2021 10:31:12 GMT https://live.paloaltonetworks.com/t5/general-topics/safe-port-scanning/m-p/418832#M93726 tingmy 2021-07-13T10:31:12Z https://live.paloaltonetworks.com/t5/general-topics/safe-port-scanning/m-p/419036#M93743 <P>Hello,</P><P>You can add the source IP of the scanner as an Address Exclusion in the zone protection profile. The other thing I have done in the past is slow the scanner down, i.e. only uses 1 check at a time.</P><P>&nbsp;</P><P>Regards,</P> Tue, 13 Jul 2021 17:27:10 GMT https://live.paloaltonetworks.com/t5/general-topics/safe-port-scanning/m-p/419036#M93743 OtakarKlier 2021-07-13T17:27:10Z https://live.paloaltonetworks.com/t5/general-topics/safe-port-scanning/m-p/419682#M93811 <P>There are only 3 places in the firewall GUI for my PA-220 that I can reasonable add in the exclusion for my scanner's IP as shown below:</P><UL><LI>NETWORK -&gt; Network Profiles -&gt; Zone Protection -&gt; (My Profile Name) -&gt; Zone Protection Profile (Reconnaissance Protection) -&gt;<BR />SOURCE ADDRESS EXCLUSION</LI><LI>NETWORK -&gt; Zones -&gt; (My Zone Name that use ZONE PROTECTION PROFILE) -&gt; User Identification ACL -&gt; EXCLUDE LIST</LI><LI>NETWORK -&gt; Zones -&gt; (My Zone Name that use ZONE PROTECTION PROFILE) -&gt; Device-ID ACL -&gt; EXCLUDE LIST</LI></UL><P>Unfortunately, adding my scanner's IP to these 3 places did not resolve the issue.</P><P>&nbsp;</P><P>Fortunately, I noticed the following setting:</P><P>NETWORK -&gt; Network Profiles -&gt; Zone Protection -&gt; (My Profile Name) -&gt; Zone Protection Profile (Flood Protection) -&gt; SYN</P><UL><LI>Action: SYN Cookies</LI><LI>Activate: 0</LI></UL><P>Someone had set "Activate" to 0, which is too low. After I changed it to 25,000 as per the PA recommendation, I no longer encounter the problem of every port responding to SYN or CONNECT scan as open.</P><P>&nbsp;</P> Thu, 15 Jul 2021 15:26:00 GMT https://live.paloaltonetworks.com/t5/general-topics/safe-port-scanning/m-p/419682#M93811 tingmy 2021-07-15T15:26:00Z