How to Block an IP for a Specific Period upon Detecting Port Scan or Host Sweep

How to Block an IP for a Specific Period upon Detecting Port Scan or Host Sweep

89259
Created On 09/25/18 17:39 PM - Last Modified 06/14/23 07:17 AM


Symptom


Symptoms

This article describes blocking a source IP or traffic from a particular source and destination IP for a specific period of time when port scan or host sweep is detected.

Diagnosis

Using the Reconnaissance Protection settings, we can track and block a port scan or host sweep based on a source IP or combination of source IP and destination IP for a specific period. When a port scan or host sweep is detected for a particular source IP or combination source and destination IP, further traffic from that source IP or from that particular source IP and destination IP is dropped for the specified interval.

Resolution


To configure block IP feature in Reconnaissance Protection:

 

  1. Inside of the WebGUI Go To: Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection.
  2. Change the Action from Alert to Block IP and select Track By either Source or Source and Destination IP based on your requirement.
    Screen Shot 2015-10-06 at 11.46.05 am.png

  3. After the Track By field is selected, select the duration (in secs)--minimum value is 1 second and maximum value is 3600 seconds. When the port scan/host sweep protection is triggered, all further traffic from that source IP or from that source to destination IP( based on the option selected in Tthe rack By field) is blocked for the specified period.Screen Shot 2015-10-06 at 11.47.32 am.pngScreen Shot 2015-10-06 at 11.48.03 am.png


  4. Then Commit the changes to make this active.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHSCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language