Zone protection reconnossainse protection

L0 Member

Zone protection reconnossainse protection


I am testing "reconnossainse protection" feature on a PA-200. I built a reconnossainse protection profile over zone protection tab and I mark over "reconnossainse protection" and I checked "tcp port scan", "host sweep" and "udp port scan" (with default settings). I activated zone protection profile on each zone.

I am executing "nmap" over a subnet (default zenmap settings) but PA don't detect it as a "port scan". I found PA identify that traffic like "ssl webbrowsing rule".

Best regards,

L5 Sessionator

You didn't mention what your alert and activate thresholds are set to. One thing you can do is to try lowering these values to lowest possible to ensure that the rule is having the desired affect. If they are then you can increase the values to a more real-world number. But as you mentioned that you are testing, this should help to isolate if things are working as expected.

Also to help verify you can look at global counters to ensure the zone protection is working. This is done via CLI with following command.

> show counter global filter delta yes | match dos

Hope this helps.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!