scan-host sweep

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

scan-host sweep

L4 Transporter

Hi,

Under threat detection, scan host sweep  droped some traffic. And under the rules it did not show anything .

What does it mean

Thanks

7 REPLIES 7

L3 Networker

Hi,

 

Do you have a zone protection profile configured and you have configured an action for the host sweep scan?

 

Best Regards,

 

Fozail

Cyber Elite
Cyber Elite

You probably have zone protection enabled

'host sweep' is a reconnaissance attack where a host 'scans' several of your ip addresses

 

 

zone protection.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

what is the interval and Threshold here .

how a zone protection profile integrated with a zone ?

for example if we have zone trust,server , how we assign the profile to the zone .

What if we change  from the block to alert ? .

Thanks

Threshold is the number of events in the interval amount of time
So 100 hosts touched in 2 seconds for example
Zone protection is global for all traffic hitting a destination zone

If you need to be more granular, to protect a single server's resources for example, you should use a DOS policy

If you set action alert instead of block, you will simply see a log entry for each 'scan' but no action is taken
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,

 

As far as I remember "Zone Protection Profile" applies on source zone not on destination zone, correct me if I am wrong.

 

Best Regards,

 

Fozail

Community Team Member

Hi @fozail,

 

Zone protection profile is designed to provide broad-based protection at the ingress zone (i.e. the zone where traffic enters the firewall) and is not designed to protect a specific end host or traffic going to a particular destination zone.   Use the DoS protection rulebase to match on a specific zone, interface, IP address or user.

 

Cheers !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Kim,

 

Yes, you are correct. I got confused as per other description where it is mentioned that "zone protection is for destination zone".

 

Thank you for the clarification.

  • 8179 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!