When I scan my firewall from the internet no matter what I try I still get this..
Are you scanning the dedicated management IP or one of the dataplane interfaces.
Do you have any destination NAT that is refering to the IP address you are scanning?
In the deny rule you have configured, you mentioned you have select any application, but what you have apply for services?
Do you have interface management profile or GlobalProtect applied on this interface?
- If you are scanning the dedicated mgmt inteface not rule will have effect - unless your routing is not forwarding the mgmt traffic over the firewall itself. If you mgmt interface is directly connected to public network, no security rule is applied. You can only use "permit-ip"
- If the IP your are scanning in used in destination NAT rule (or in bi-directional NAT), the actual security rule that will filter traffic to it must have the post-nat destination zone. So your untrust-untrust will not actually match
- If you deny any application, but using default ports you esentially block only "known applications on default ports". Firewall will still allow the initial packets (like tcp-hand-shake), because it needs to detect the application to understand which application it is and if it use its default ports. Proper way to define "deny rule" would be to use "any app" and "any service"
Any interface management profile or GlobalProtect portal/gateway assiged on this interface?
Sorry, but you are loosing me with the Azure... I don't experiance with public clouds so I am little confused why the firewall will even listen on first place.
Anyway if it is dataplane interface traffic should definately pass via the security policy, can share your exact configuration for the deny rule?
When I create a scanning policy on the firewall, I dont assign any security profiles. Then on the scanner I set it to only allow only 1 connection per attempt. What this does is prevent the scan form looking like a major probe to the firewall. You might have to tweak the settings a bit but it'll work out for you. Also please dont make your scans authenticated when scanning external interfaces/etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!