I am testing "reconnossainse protection" feature on a PA-200. I built a reconnossainse protection profile over zone protection tab and I mark over "reconnossainse protection" and I checked "tcp port scan", "host sweep" and "udp port scan" (with default settings). I activated zone protection profile on each zone.
I am executing "nmap" over a subnet (default zenmap settings) but PA don't detect it as a "port scan". I found PA identify that traffic like "ssl webbrowsing rule".
You didn't mention what your alert and activate thresholds are set to. One thing you can do is to try lowering these values to lowest possible to ensure that the rule is having the desired affect. If they are then you can increase the values to a more real-world number. But as you mentioned that you are testing, this should help to isolate if things are working as expected.
Also to help verify you can look at global counters to ensure the zone protection is working. This is done via CLI with following command.
> show counter global filter delta yes | match dos
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!