07-13-2021 03:31 AM
Hi folks,
When I perform a nmap port scan on my IP range protected by Palo Alto Firewall, almost every port responded to SYN scan.
This is a known issue, as I found:
Port scan report shows all TCP ports are open
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS
If I want to successfully perform a port scan, the only solution seems to be to disable SYN flood protection.
Do anyone know if there is anyway to "whitelist" a source IP, so a particular IP can perform port scan without interference from the flood protection component, but still enable flood protection to the general public?
I have been told that Palo Alto tech support informed us that there is no way to "whitelist" a source IP for port scan, and the only resolutions are:
I just wanted to pick the brains of the community to see if there is any other way to perform port scan on the firewall without disabling flood protection completely.
07-15-2021 08:26 AM
There are only 3 places in the firewall GUI for my PA-220 that I can reasonable add in the exclusion for my scanner's IP as shown below:
Unfortunately, adding my scanner's IP to these 3 places did not resolve the issue.
Fortunately, I noticed the following setting:
NETWORK -> Network Profiles -> Zone Protection -> (My Profile Name) -> Zone Protection Profile (Flood Protection) -> SYN
Someone had set "Activate" to 0, which is too low. After I changed it to 25,000 as per the PA recommendation, I no longer encounter the problem of every port responding to SYN or CONNECT scan as open.
07-13-2021 10:27 AM
Hello,
You can add the source IP of the scanner as an Address Exclusion in the zone protection profile. The other thing I have done in the past is slow the scanner down, i.e. only uses 1 check at a time.
Regards,
07-15-2021 08:26 AM
There are only 3 places in the firewall GUI for my PA-220 that I can reasonable add in the exclusion for my scanner's IP as shown below:
Unfortunately, adding my scanner's IP to these 3 places did not resolve the issue.
Fortunately, I noticed the following setting:
NETWORK -> Network Profiles -> Zone Protection -> (My Profile Name) -> Zone Protection Profile (Flood Protection) -> SYN
Someone had set "Activate" to 0, which is too low. After I changed it to 25,000 as per the PA recommendation, I no longer encounter the problem of every port responding to SYN or CONNECT scan as open.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
