NMAP Scan, PA show open ports

Showing results for 
Show  only  | Search instead for 
Did you mean: 

NMAP Scan, PA show open ports

L2 Linker

Hello experts!


When I scan my firewall from the internet no matter what I try I still get this.. 


53/tcp open domain syn-ack ttl 64
80/tcp open http syn-ack ttl 64
443/tcp open https syn-ack ttl 64
8080/tcp open http-proxy syn-ack ttl 64
I have setup an untrust-untrust (app) any (application) any and to drop rule at the top of the security. (limited to the nmap scanning ip). I have set the ZP to RED but the firewall still says it has ports open. 
I am stuck. Any advice how to stop the PA doing this?

Cyber Elite
Cyber Elite

Hi @BizBo 


Are you scanning the dedicated management IP or one of the dataplane interfaces.

Do you have any destination NAT that is refering to the IP address you are scanning?

In the deny rule you have configured, you mentioned you have select any application, but what you have apply for services?

Do you have interface management profile or GlobalProtect applied on this interface?


- If you are scanning the dedicated mgmt inteface not rule will have effect - unless your routing is not forwarding the mgmt traffic over the firewall itself. If you mgmt interface is directly connected to public network, no security rule is applied. You can only use "permit-ip"

- If the IP your are scanning in used in destination NAT rule (or in bi-directional NAT), the actual security rule that will filter traffic to it must have the post-nat destination zone. So your untrust-untrust will not actually match

- If you deny any application, but using default ports  you esentially block only "known applications on default ports". Firewall will still allow the initial packets (like tcp-hand-shake), because it needs to detect the application to understand which application it is and if it use its default ports. Proper way to define "deny rule" would be to use "any app" and "any service"



Hello @Astardzhiev 


its the untrust on the dataplane, 


No the IP is not referenced as this is an Azure VM which I forgot to add. 


Yes the service is set to ANY



Hey @BizBo 


Any interface management profile or GlobalProtect portal/gateway assiged on this interface?

Sorry, but you are loosing me with the Azure... I don't experiance with public clouds so I am little confused why the firewall will even listen on first place.

Anyway if it is dataplane interface traffic should definately pass via the security policy, can share your exact configuration for the deny rule?


When I create a scanning policy on the firewall, I dont assign any security profiles. Then on the scanner I set it to only allow only 1 connection per attempt. What this does is prevent the scan form looking like a major probe to the firewall. You might have to tweak the settings a bit but it'll work out for you. Also please dont make your scans authenticated when scanning external interfaces/etc.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!