Host Sweep Triggering Method in Zone Protection Profile

Host Sweep Triggering Method in Zone Protection Profile

73555
Created On 09/25/18 19:30 PM - Last Modified 02/04/22 20:40 PM


Resolution


Overview

The following example explains how the "Host sweep" feature is triggered in Palo Alto Networks Firewalls. Host sweep can be located under the Zone Protection Profile in the Network tab.

  1. Go to Network > Zone Protection > Add a profile. For example: Go to abc > under Reconnaissance Protection tab, configure the Host Sweep as 50 seconds Interval + 60 events Threshold.
    zone protection reconnaissance test setting.png
     
  2. Run a NMAP tool to scan for 50 IP addresses, which will complete in 42 seconds. Threat logs will be generated.

Test_6.png

Note: Make sure to associate zone-protection with appropriate zone.

 

Cause

Host sweep protection is based on the scanning activity counted per the time interval specified. Palo Alto Networks excludes destination IP addresses as a criteria and tabulates sweep events. A Host Sweep will trigger regardless of the number of IP addresses as long as it crosses the threshold value for a single host.

 

owner: pchanda

Additional Information


For the 'Host Sweep' alert to trigger, the traffic needs to be allowed by policy.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZhCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language