Are there any best practice settings for the reconnaissance portion of the zone protection profile.
I see the default has the below. Is it recommended to leave as defaults or does someone have a better recommendation?
TCP Port scan 100 events within 2 seconds
UDP Port scan 100 events within 2 seconds
Host Sweep 100 events within 10 seconds
Zone protection feature should be handled carefully every feature requires uniqe apporach, for me i am using with block ip with duration 1Hour+ option against bad guys.
İnstead of using a general zone protection i choose to implement every single zone an individual zone protection profile.
For startup some higher thresholds rather than default can be used with "alert" action.
After creation of profile with desired thresholds, monitor alerts on threat log it would appear as "scan". Enabling extensive logging feature considerable.
Zone protection works on ingress zone only.
If every zone has a zone protection profile keep an eye on email servers.
Adjust threshold levels as "scan" attacks count. My solution was checking threat logs when i see a "scan" threat than i check traffic logs and counting connections corresponing source ip to identify scanning timing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!