Allow remote host to port scan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Allow remote host to port scan

Not applicable

I am looking to allow a single host on the outside to run an NMAP port scan. What can I do to allow this host to get an accurate picture from the outside without giving additional access that may skew the results? In addition I would need it to bypass vulnerability protection (TCP Scan 8001). Looking at my scan attempts I see the application type come back as Traceroute, non-applicable, lpd, dns, icmp and ssh. I am open to ideas, thank you!

1 accepted solution

Accepted Solutions

Here is the explanation of TCP Scan settings in Zone Protection profile.

Interval (sec) - Enter the time interval for port scans and host sweep detection (seconds).

Threshold (events) - Enter the number of scanned ports within the specified time interval that will trigger this protection type (events).

Keep the scanning rate below values configured for above two parameters..


Try this -> nmap -sS hostname --max-rate 1

Or a very slow scanning which will never trigger the alarm TCP Scan 8001.

nmap -sS hostname --max-rate 0.1

For more details check nmap's guide -> Timing and Performance

View solution in original post

5 REPLIES 5

L6 Presenter

Hi Mcocat,

Lets say user X is on outside network. And It wants to do scanning for user Y and Z. Than allow "any" "any" access to user X to user Y&Z. Make sure you dont apply and profile to rule, This will by pass all type of scanning on the firewall.

Now create another rule for port 8001. Configure appropriate source and destination. In the rule do not specify vulnerability profile. Let me know if this helps.

Regards,

Hardik Shah

I don't want to grant more access than is currently available though. I want to see the true picture of what is open from the outside. I just want to bypass the scan threat that is being blocked. the threat id is 8001, not the port I am trying to access.

Here is the explanation of TCP Scan settings in Zone Protection profile.

Interval (sec) - Enter the time interval for port scans and host sweep detection (seconds).

Threshold (events) - Enter the number of scanned ports within the specified time interval that will trigger this protection type (events).

Keep the scanning rate below values configured for above two parameters..


Try this -> nmap -sS hostname --max-rate 1

Or a very slow scanning which will never trigger the alarm TCP Scan 8001.

nmap -sS hostname --max-rate 0.1

For more details check nmap's guide -> Timing and Performance

Hi Mcoat,

In that case create a policy which allows port 8001 traffic between specific source and destination. Do not apply any profiles to it. And Firewall will not check threat for it.

If you want to configure profile due to security reasons than create an exception for 8001. Please refer bellow document for the same.

Add a Vulnerability Exception Specifically Based Upon Source and Destination IP Address

Regards,

Hardik Shah

L7 Applicator

Unfortunately, you can't white list an ip address for these scans.  The TCP Scan 8001 is generated by your Zone Protection profile.

network--Network Profiles--Zone Protection

ZoneProtectionProfile.png

These only have actions for alert or block variations globally for the entire zone to which the policy is applied.  you cannot override this by a specific security policy or other means.

I think your best bet is to turn the action to alert, as show above, during your test and restore the original setting afterwards.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 5316 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!