Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

New Advanced URL Filtering Category: Scanning Activity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L2 Linker

Graphics Created (20).jpg

 

We intend to introduce a new category called “Scanning Activity” under Advanced URL Filtering. 

 

ACTION: Your action is required. By default, we set the “Scanning Activity” category to “Block” mode for the default profile only. If you have multiple URL Filtering profiles, we recommend that you change the default action to “Block” for this category in each of your profiles.

 

How is Scanning Activity Defined?

Adversaries are increasingly taking advantage of infected hosts to scan a network for vulnerabilities and launch targeted attacks. Additionally, attackers frequently include such probing activities in their malicious campaigns to carry out attacks on a network. Palo Alto Networks defines these scanning and probing tactics as “Scanning Activity” and are considered to be indicators of compromise.

 

Will the “Scanning Activity” category be visible across all versions of PAN-OS?

Yes, the Scanning Activity category will be visible across all supported PAN-OS versions. However, it is functional only for firewalls running PAN-OS 9.1 and later versions and requires  an Advanced URL filtering license. 

 

When will the “Scanning Activity” category be available?

The “Scanning Activity” category will be visible on the administrator management console after you install the content release scheduled for July 11, 2023 (or a later version). However, we will not begin publishing URLs to this new category until November 28, 2023. 

 

When will the Scanning Activity”  category be functional?

Starting November 28, 2023, Palo Alto Networks will start publishing URLs that are categorized as Scanning Activity.” Please ensure that your Security policy rules are configured to account for this new category.

 

What is the recommended action for the Scanning Activity category?

Scanning activity is an indicator of compromise that can pose a serious threat to users and businesses. Therefore, we recommend that you keep the default action for this category set to “Block.”

 

Note: The “Scanning Activity” category action is set to “Block” only for the default profile. If you have multiple URL Filtering profiles, an administrator must update the default action to “Block” for this category in each of your profiles. This requirement applies to all supported versions of PAN-OS software.

 

Why is the new "Scanning Activity" category missing under my URL filtering profiles?
The 'Scanning Activity' category is only available to customers with the content release version 8729 and above. It will not be visible in previous versions. To take advantage of this new category, customers are required to update to the appropriate content release version.


What happens if my NGFW is still using the content version below 8729?
For customers using content versions below 8729, published URLs in this new category will not be categorized under 'Scanning Activity' and will instead be classified as 'Unknown'. If the NGFW's 'Unknown' category is set to 'block,' these URLs can be blocked accordingly.

 

How do I avoid disruptions during the scheduled vulnerability scanning/ penetration testing within my network?

The Scanning Activity category may detect and block sanctioned penetration testing or scheduled scanning traffic from scanner services, which are routinely run to comply with best practices. To prevent this traffic from being flagged and blocked by the Scanning Activity category, we recommend whitelisting the IP addresses of the scanners generating this traffic within the security policies.

 

For more information, please see the KB article: Firewall setting to reduce the FW interference for pen-test on a resource behind the FW.

 

What action should I take when the “Scanning activity” category is triggered?
Scanning activities within your network is an indicator of compromise that can pose a significant threat to your users and business. Therefore, we recommend the following:

 

  • Ensure that the category is set to “Block.”
  • Check the source IP address of users who generate this type of traffic under the URL Filtering log to isolate the host.


Note: Scanning activity detention is agnostic if the processed traffic is from ingress or egress. If the source IP address of the scan does not belong to your network, please check if the URL filtering profile is being applied to the ingress traffic under your security policy.

 

What is the Palo Alto Networks test URL for Scanning Activity?

http://urlfiltering.paloaltonetworks.com/test-scanning-activity

 

Additional Information

For more information on best practices when managing Advanced URL Filtering categories, please read our 

 

24 Comments
  • 406375 Views
  • 24 comments
  • 5 Likes
Register or Sign-in
Labels