Safe Port Scanning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Safe Port Scanning

L1 Bithead

Hi folks,

 

When I perform a nmap port scan on my IP range protected by Palo Alto Firewall, almost every port responded to SYN scan.

 

This is a known issue, as I found:

Port scan report shows all TCP ports are open

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS

 

If I want to successfully perform a port scan, the only solution seems to be to disable SYN flood protection.

Do anyone know if there is anyway to "whitelist" a source IP, so a particular IP can perform port scan without interference from the flood protection component, but still enable flood protection to the general public?

 

I have been told that Palo Alto tech support informed us that there is no way to "whitelist" a source IP for port scan, and the only resolutions are:

  1. Disable SYN flood protection.
  2. Change the Action from SYN Cookie to Random Early Drop.
  3. Increase the threshold for activation.

I just wanted to pick the brains of the community to see if there is any other way to perform port scan on the firewall without disabling flood protection completely.

1 accepted solution

Accepted Solutions

There are only 3 places in the firewall GUI for my PA-220 that I can reasonable add in the exclusion for my scanner's IP as shown below:

  • NETWORK -> Network Profiles -> Zone Protection -> (My Profile Name) -> Zone Protection Profile (Reconnaissance Protection) ->
    SOURCE ADDRESS EXCLUSION
  • NETWORK -> Zones -> (My Zone Name that use ZONE PROTECTION PROFILE) -> User Identification ACL -> EXCLUDE LIST
  • NETWORK -> Zones -> (My Zone Name that use ZONE PROTECTION PROFILE) -> Device-ID ACL -> EXCLUDE LIST

Unfortunately, adding my scanner's IP to these 3 places did not resolve the issue.

 

Fortunately, I noticed the following setting:

NETWORK -> Network Profiles -> Zone Protection -> (My Profile Name) -> Zone Protection Profile (Flood Protection) -> SYN

  • Action: SYN Cookies
  • Activate: 0

Someone had set "Activate" to 0, which is too low. After I changed it to 25,000 as per the PA recommendation, I no longer encounter the problem of every port responding to SYN or CONNECT scan as open.

 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

You can add the source IP of the scanner as an Address Exclusion in the zone protection profile. The other thing I have done in the past is slow the scanner down, i.e. only uses 1 check at a time.

 

Regards,

There are only 3 places in the firewall GUI for my PA-220 that I can reasonable add in the exclusion for my scanner's IP as shown below:

  • NETWORK -> Network Profiles -> Zone Protection -> (My Profile Name) -> Zone Protection Profile (Reconnaissance Protection) ->
    SOURCE ADDRESS EXCLUSION
  • NETWORK -> Zones -> (My Zone Name that use ZONE PROTECTION PROFILE) -> User Identification ACL -> EXCLUDE LIST
  • NETWORK -> Zones -> (My Zone Name that use ZONE PROTECTION PROFILE) -> Device-ID ACL -> EXCLUDE LIST

Unfortunately, adding my scanner's IP to these 3 places did not resolve the issue.

 

Fortunately, I noticed the following setting:

NETWORK -> Network Profiles -> Zone Protection -> (My Profile Name) -> Zone Protection Profile (Flood Protection) -> SYN

  • Action: SYN Cookies
  • Activate: 0

Someone had set "Activate" to 0, which is too low. After I changed it to 25,000 as per the PA recommendation, I no longer encounter the problem of every port responding to SYN or CONNECT scan as open.

 

  • 1 accepted solution
  • 4512 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!