This article describes blocking a source IP or traffic from a particular source and destination IP for a specific period of time when port scan or host sweep is detected.
Using the Reconnaissance Protection settings, we can track and block a port scan or host sweep based on a source IP or combination of source IP and destination IP for a specific period. When a port scan or host sweep is detected for a particular source IP or combination source and destination IP, further traffic from that source IP or from that particular source IP and destination IP is dropped for the specified interval.
To configure block IP feature in Reconnaissance Protection:
Inside of the WebGUI Go To: Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection.
Change the Action from Alert to Block IP and select Track By either Source or Source and Destination IP based on your requirement.
After the Track By field is selected, select the duration (in secs)--minimum value is 1 second and maximum value is 3600 seconds. When the port scan/host sweep protection is triggered, all further traffic from that source IP or from that source to destination IP( based on the option selected in Tthe rack By field) is blocked for the specified period.