Are there any best practice settings for the reconnaissance portion of the zone protection profile.
I see the default has the below. Is it recommended to leave as defaults or does someone have a better recommendation?
TCP Port scan 100 events within 2 seconds
UDP Port scan 100 events within 2 seconds
Host Sweep 100 events within 10 seconds
I think whatever you get to see in best practice document of PA ( which I hope you followed ) , then that is sufficient for now .
Rest you can customize at later stage once you know the effects of zone protection on your live traffic.
Interestingly enough, the best practice guide mentions to leave the default threshold, but there is a video from Palo Alto regarding BPA and the threshold is different than the default
Zone protection feature should be handled carefully every feature requires uniqe apporach, for me i am using with block ip with duration 1Hour+ option against bad guys.
İnstead of using a general zone protection i choose to implement every single zone an individual zone protection profile.
For startup some higher thresholds rather than default can be used with "alert" action.
After creation of profile with desired thresholds, monitor alerts on threat log it would appear as "scan". Enabling extensive logging feature considerable.
Zone protection works on ingress zone only.
If every zone has a zone protection profile keep an eye on email servers.
Adjust threshold levels as "scan" attacks count. My solution was checking threat logs when i see a "scan" threat than i check traffic logs and counting connections corresponing source ip to identify scanning timing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!