Except Specific IPs from port scan detection / Zone Protection


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L2 Linker

Echoing last comment as the mentioned DOC URI is gone.  Get's old quick my vuln scanners throwing up thousands of alerts each week every time they do a scan across (or in within) the same/different zones.

L5 Sessionator

Anyone found a solution to original post? Making an exception for a zone protection is still impossible? Because this is a serious isuue with many customers. 



L1 Bithead



There is a feature request # 1910.


Whitelisting with Zone Protection (Reconnaissance).   We have a handful of vulnerability scanners on campus use to scan our hosts and they are getting block by the zone protection profile.  We are wondering if there is a feature request for providing a white list to not get block by the zone protection profile.


This FR has been open for at least 2 years.  If you are interested, contact your sales person and sales engineer to add your company/name to the FR.   


The Last update that I got was, it is been consider in PAN OS 8.0, no confirmation yet.



L5 Sessionator

Hi all,


How about combining two zone protection profiles? One that is aggressive, for the Untrust zone, and one that is permissive for the Trust zone, that will allow your "friendly" IPs to scan. Than create GP gateway for friendly IPs, push them the route towards Trust / DMZ / whatever you are scanning, and sort them out in their own "scanners" zone. Once they start scanning only permissive profile from the Trust zone will be applied to their scans, allowing them to finish the job. They are coming from separate scanners zone thus esily circumventing aggressive blocking profile on the Untrust zone.





Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!