Vulnerability scanners such as Qualys (or nmap) to list the open TCP service ports

Vulnerability scanners such as Qualys (or nmap) to list the open TCP service ports

65823
Created On 09/25/18 19:52 PM - Last Modified 06/01/23 17:18 PM


Symptom


 When running a port scan from the Internet shows all TCP ports are open even though the security policy is configured to block all TCP ports from Untrust to Trust zone or DMZ zone. This can also show the ports open in Firewall.

Environment


  • All PAN-OS
  • All PAN devices 

Cause


  • When a port scanner is run, it will display all TCP ports are open. However, the firewall is set up to only allow HTTP and HTTPS connections to an internal server from the internet using a destination NAT and security policy.  
  • This is because of the SYN-Cookie feature in the zone protection profile for the untrust/external zone.
    • When the firewall receives an SYN packet and the SYN-Cookie is active, it sends an SYN-ACK and waits for an ACK from the client before processing the connection and checking the security policy. For more information on the SYN-Cookie feature, check out this document.
    • An SYN-ACK will be received When a TCP packet is received plus SYN-Cookies are enabled, it will send an SYN-ACK; the scanner will consider this a live host. 
 
  • Note: You can also configure a security policy for PAN testing described here
  • Note: Any TCP port scan tool that uses the TCP SYN-ACK packet to determine port status will show all TCP ports as open. For instance, if you use the Qualys scanner, it will show a threat ID of QID-82023. As the Qualys blog explains, this scanned for the open port report is not a vulnerability but, instead, information gathered.
  • Note: Please check the difference between SYN-cookies and RED here

Resolution



There are two ways we can modify it. 
  • The above behvior is working as expected and in order to avoid this you can do one of the following options.
    • Disable SYN flood protection.
    • Change the Action from SYN Cookie to Random Early Drop.
    • Increase the threshold for activation. 
    • Please follow the below steps to tweak these changes. Before making these changes take Network security into consideration.

  • From the GUI

  • Go to Network Tab > Zone Protection Profile > select the appropriate Zone Protection Profile > Flood Protection.

Screen Shot 2023-02-08 at 12.39.52 PM.png

 

From the CLI:

  • To change from SYN-Cookie to random early drop:

    > configure
# delete network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies
# commit
# exit

 

  • To change the activation rate:
> configure
# set network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies activate-rate "value"
# commit
# exit

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language