Port Scan Triggering Method in Zone Protection Profile

Port Scan Triggering Method in Zone Protection Profile

59202
Created On 09/25/18 20:39 PM - Last Modified 06/06/23 21:23 PM


Resolution


 

In the examples, nmap is used to demonstrate how Reconnaissance Protection of the Zone Protection feature counts up TCP Port Scan activity.

 

There are many variants a malicious attacker can use to do a TCP Port Scan.

Should you test with any other tool than nmap, the behavior will be the same as shown in this article.

 

Example 1: Multiple attackers against a single host

Multiple malicious attackers are doing a TCP Port Scan against a single host to check if the specific ranges of the ports are available or not.

 

The following are the detailed conditions to demonstrate the example.

 

  • Malicious attacker IP addresses are 1.1.1.219 and 1.1.1.218
  • Victim server IP address is 10.128.128.217
  • Target port ranges are TCP port 21 to 25.
  • Nmap command:"nmap -PS 10.128.128.217 -p T:21-25"

 

Threat log1 shows the generated threat log entries during Palo Alto Networks Firewall handling TCP Port Scan activity

mentioned in above.

 

Threat log1:

case1.JPG

 

As Threat log1 shows, when the different malicious attackers are doing a TCP Port Scan against the single host with the same TCP port ranges, Palo Alto Networks Firewall counts up TCP Port Scan activity separately per Malicious attacker IP address NOT target port during the time interval specified.

 

Example 2: Multiple attackers against multiple hosts

Multiple malicious attackers are doing TCP Port Scan against multiple hosts to check if the specific ranges of the ports are available or not.

 

The following are the detailed condition to demonstrate the example.

 

  • Malicious attacker IP addresses are 1.1.1.219 and 1.1.1.218
  • Victim server IP addresses are 10.128.128.217 and  10.128.128.218
  • Target port ranges are TCP port 21 to 25.
  • Nmap command:"nmap -PS 10.128.128.217 10.128.128.218 -p T:21-25"

 

Threat log2 shows the generated threat log entries during Palo Alto Networks Firewall handling  TCP Port Scan activity

mentioned in above.

 

Threat log2:

case2.JPG

 

As Threat log2 shows, when the different malicious attackers are doing a TCP Port Scan against the multiple victim hosts with the same TCP port ranges, Palo Alto Networks Firewall counts up TCP Port Scan activity separately per Malicious attacker IP address and victim host IP address pair during the time interval specified.

 

Example 3: Multiple attackers against the network

Multiple malicious attackers are doing TCP Port Scan against the network to check if the specific ranges of the ports are available or not.

 

The following are the detailed condition to demonstrate the example.

 

  • Malicious attacker IP addresses are 1.1.1.219 and 1.1.1.218
  • Victim network are 10.128.128.0/24.
  • Target port ranges are TCP port 21 to 25.
  • Nmap command:"nmap -PS 10.128.128.0/24 -p T:21-25"

Threat log3 shows the generated threat log entries during Palo Alto Networks Firewall handling  TCP Port Scan activity

mentioned in above.

 

Threat log3:

case3.JPG

 

 

As Threat log3 shows,when the different malicious attackers are doing a TCP Port Scan against the multiple victim hosts with the same TCP port ranges, Palo Alto Networks Firewall counts up TCP Port Scan activity separately per Malicious attacker IP address and victim host IP address pair during the time interval specified. (This is the same as Example 2.)
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language