Reconnaisance Protection - Action Alert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Reconnaisance Protection - Action Alert

vp.JPGvun2.JPGHello,

I configured zone protection, (reconnaissance protection), and enabled the tcp\udp port scan and host sweep and chose the default as action "alert".

Afterwards, I noticed in the monitor logs this vulnerability appeared, "ZGrab Application Layer Scanner Detection". The severity is medium. Where do I change the action? I can change it in the reconnaissance protection tab, or I could change it in the Vulnerability protection profile exceptions tab, what is the difference?

Also, is this a tcp\udp port scan or a host sweep? the detailed log view doesn't specify. Also, why wouldn't something thats considered a threat such as a scan on the network only be set to "alert" by default?

 

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@${userLoginName},

I think your confusing two very different things. When you see the 57955 in your threat logs zone protection doesn't have anything to do with the action that is taken in this regard. You'll want to go into your vulnerability profile and override the 57955 signature to an action other than the default alert action set for that signature. 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3KCAS

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

Alert in any field means allow the traffic and log it. PAN has set their settings to a low default as to prevent unintended conditions. I have mine set to block-ip. This way it'll block their access so they cant scan for 3600 seconds. This is changed in the zone protection profile. Just clock the 'alert' and change it to something else, i.e. block-ip. Just remember to put your scanners in the exclusion section so they dont get blocked. 

 

Hope this helps.

I have since set the reconnaissance action to block, but when the  "ZGrab Application Layer Scanner Detection".  vulnerability appears it is set to alert, why inst it being blocked?

If the "ZGrab Application Layer Scanner Detection" is a "scanning" vulnerability why wont the zone protection reconnaissance block it?

Cyber Elite
Cyber Elite

Hello,

And the logs/events were after you changed the zone protection profile?, e.g. new scans of someone scanning you?

Please advise,

Cyber Elite
Cyber Elite

@${userLoginName},

I think your confusing two very different things. When you see the 57955 in your threat logs zone protection doesn't have anything to do with the action that is taken in this regard. You'll want to go into your vulnerability profile and override the 57955 signature to an action other than the default alert action set for that signature. 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3KCAS

Hi BPry,

Yes, I can see how the zone protection (reconnaissance), is different than the 57955 in the vulnerability profile. I thought that since the name of the vulnerability had the word "scanner detection" in it, it would be seen as tcp\udp scan or host sweep threat, but apparently not.

  • 1 accepted solution
  • 9403 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!