Question on getting started with Reconnaissance Protection thresholds

Reply
Highlighted
L0 Member

Question on getting started with Reconnaissance Protection thresholds

I know the question about how to set Reconnaissance Protection thresholds has been asked dozens of times.  The answer is always "it depends on your environment and situation".  I understand that there can't be a one-size fits all best practice. It seems as though a trial-and-error approach is how you should dial in the thresholds and intervals.


But are there any unique factors that should be taken into consideration that could give you a general idea rather than taking shots in the dark?  Like how many different hosts and services are accessible from that zone?  Average connections per second? Frequency of any types of events in the threat logs?

Highlighted
L3 Networker

Re: Question on getting started with Reconnaissance Protection thresholds

A while back I went down this same path, it is a very loose control and does require a lot of attention because something like a shopping season, COVID stimulus checks, or other events may cause spikes in traffic that you dont want to drop. 

 

Here are some places to look for evaluating your CPS over time:

https://github.com/zepryspet/GoPAN

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection/zone-de...

 

Good luck! 

 

Highlighted
Cyber Elite

Re: Question on getting started with Reconnaissance Protection thresholds

@BSwientoniowski,

As @shawnhafen mentioned and you've pointed out in your question, the problem with giving any sort of general criteria on how to calculate these thresholds is that they will always be different. 

Outside of continually monitoring these values and reviewing logs over a period of time to generate a rough idea of what you should start at, it's always going to be little bit of trial and error involved here to make them effective. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!