Zone Protection

Reply
Highlighted
L1 Bithead

Zone Protection

HI

I have a question related to zone protection. I am having a company doing vulnerability scanning on my system and I want to be able to disable zone protection only for the IP's of the scanner. What would be the best way to acomplish this? Any help much apreciated. At the moment there is one zone protection profile that is applied to my "External" zone.

 

Regards

Jakob


Accepted Solutions
Highlighted
Community Team Member

Re: Zone Protection

Hi,

 

As far as I know, only if you have an option to add this IP to a different zone, it's possible to bypass the scanning. Otherwise, there is no straightforward way to achieve this.

 

I do know there is a feature request (FR) for this already.  Please reach out to your local SE and ask him to vote for the FR.

 

Regards,

-Kim.

 

View solution in original post

Highlighted
L7 Applicator

Re: Zone Protection

Hello,

We do our own periodic scanning and I also ran into this. The work around I used was on the scanner. I set it with the lowest/slowest possible settings so it would not trigger the zone protection. Not the greatest since an actor can use this to scan us, but it was the only way.

 

Regards,

View solution in original post

Highlighted
L7 Applicator

Re: Zone Protection

I'm pretty sure that zone protection will never work based on source/destination.

As those packets are thrown away before being processed in that level.

If you want this functionality then you should use DoS policy where you can exactly specify source(s) and destination(s).

What you lack with DoS is misformated packets (fragmented traffic, ping of death etc).

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI

View solution in original post


All Replies
Highlighted
Community Team Member

Re: Zone Protection

Hi,

 

As far as I know, only if you have an option to add this IP to a different zone, it's possible to bypass the scanning. Otherwise, there is no straightforward way to achieve this.

 

I do know there is a feature request (FR) for this already.  Please reach out to your local SE and ask him to vote for the FR.

 

Regards,

-Kim.

 

View solution in original post

Highlighted
L7 Applicator

Re: Zone Protection

zone protection policies are "zone based" so you don't have capability to exclude some specific ip address.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Highlighted
L7 Applicator

Re: Zone Protection

Hello,

We do our own periodic scanning and I also ran into this. The work around I used was on the scanner. I set it with the lowest/slowest possible settings so it would not trigger the zone protection. Not the greatest since an actor can use this to scan us, but it was the only way.

 

Regards,

View solution in original post

Highlighted
L1 Bithead

Re: Zone Protection

Hi Kim

Many thanks for this, I asked my SE to vote for the feature.

 

Kind Regards

Jakob

Highlighted
L1 Bithead

Re: Zone Protection

Hi Otakar

Thanks for this, yes I guess this could also be used as a "workaround" untill PaloAlto gives us a more permanent solution

 

Regards

Jakob

Highlighted
L7 Applicator

Re: Zone Protection

I'm pretty sure that zone protection will never work based on source/destination.

As those packets are thrown away before being processed in that level.

If you want this functionality then you should use DoS policy where you can exactly specify source(s) and destination(s).

What you lack with DoS is misformated packets (fragmented traffic, ping of death etc).

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI

View solution in original post

Highlighted
L3 Networker

Re: Zone Protection

Can someone produce the FR # for this?

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!