Zone Protection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Zone Protection

L1 Bithead

HI

I have a question related to zone protection. I am having a company doing vulnerability scanning on my system and I want to be able to disable zone protection only for the IP's of the scanner. What would be the best way to acomplish this? Any help much apreciated. At the moment there is one zone protection profile that is applied to my "External" zone.

 

Regards

Jakob

3 accepted solutions

Accepted Solutions

Community Team Member

Hi,

 

As far as I know, only if you have an option to add this IP to a different zone, it's possible to bypass the scanning. Otherwise, there is no straightforward way to achieve this.

 

I do know there is a feature request (FR) for this already.  Please reach out to your local SE and ask him to vote for the FR.

 

Regards,

-Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

Hello,

We do our own periodic scanning and I also ran into this. The work around I used was on the scanner. I set it with the lowest/slowest possible settings so it would not trigger the zone protection. Not the greatest since an actor can use this to scan us, but it was the only way.

 

Regards,

View solution in original post

I'm pretty sure that zone protection will never work based on source/destination.

As those packets are thrown away before being processed in that level.

If you want this functionality then you should use DoS policy where you can exactly specify source(s) and destination(s).

What you lack with DoS is misformated packets (fragmented traffic, ping of death etc).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

7 REPLIES 7

Community Team Member

Hi,

 

As far as I know, only if you have an option to add this IP to a different zone, it's possible to bypass the scanning. Otherwise, there is no straightforward way to achieve this.

 

I do know there is a feature request (FR) for this already.  Please reach out to your local SE and ask him to vote for the FR.

 

Regards,

-Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

zone protection policies are "zone based" so you don't have capability to exclude some specific ip address.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hello,

We do our own periodic scanning and I also ran into this. The work around I used was on the scanner. I set it with the lowest/slowest possible settings so it would not trigger the zone protection. Not the greatest since an actor can use this to scan us, but it was the only way.

 

Regards,

Hi Kim

Many thanks for this, I asked my SE to vote for the feature.

 

Kind Regards

Jakob

Hi Otakar

Thanks for this, yes I guess this could also be used as a "workaround" untill PaloAlto gives us a more permanent solution

 

Regards

Jakob

I'm pretty sure that zone protection will never work based on source/destination.

As those packets are thrown away before being processed in that level.

If you want this functionality then you should use DoS policy where you can exactly specify source(s) and destination(s).

What you lack with DoS is misformated packets (fragmented traffic, ping of death etc).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Can someone produce the FR # for this?

Thanks

  • 3 accepted solutions
  • 4984 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!