This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

zone protection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

zone protection

Westcon2
L3 Networker

‎10-10-2014 12:07 PM

How do we block synfin port scan.

Labels:
0 Likes Likes
14 REPLIES 14

bat
L5 Sessionator
In response to Westcon2

‎10-10-2014 01:01 PM

I think the syn+fin packets should drop without zone protection or DoS policy in place.

0 Likes Likes

Westcon2
L3 Networker
In response to bat

‎10-10-2014 01:16 PM

Can we confirm if synfin are dropped by default without zp and Dos policy. 

Thank You Sharma and Hardik. I have checked the zp in the threat logs. It is same what you showed in the screen shot.

0 Likes Likes

ssharma
L5 Sessionator
In response to Westcon2

‎10-10-2014 01:31 PM

Any non-syn is dropped by default. But if an attack occurs and firewall is bombarded with syn-fin packets, it will open a session with syn packet and kill the session with fin.  If the rate is excessive for syn-fin then cpu might go really high. So zone protection will help in that scenario.  Hope this helps.

0 Likes Likes

ttanzi
L2 Linker
In response to ssharma

‎12-22-2014 12:19 PM

Does anyone now if there is a way to proactively alert when a port scan has been detected? In the threat logs, I can see the alert of a port scan but the severity level is medium and the alert id is 8001 and you cannot change the severity. We are sending email alerts on all critical threats and we do not want to start sending email alerts on severity of medium as this will generate a lot of noise. 

thanks all in advance

0 Likes Likes

pulukas
L7 Applicator
In response to ttanzi

‎12-22-2014 01:12 PM

You can follow the procedure in DOC-3779 to fire an email for a specific threat.  It does require setting up a specific policy and email profile to fire the alert.

How to Receive Email Threat Notification from the firewall

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks