- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
zone protection
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- zone protection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
zone protection
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:07 PM
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:14 PM
You can configure zone protection on your outside zone or zone that you are more concerned about.
You can define various action. In above example, I have asked firewall to block source IP for 300 secs if that ip is trying to scan the tcp port. You can customize the alert and threshold as well. Hope this helps. Thank you.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:17 PM
Have you tried the syn flood or TCP port scan in zone protection profile ? Is it not working for synfin port scan ?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:33 PM
I have applied zone protection policy and it is set on alert.
I tried to port scan using nmap. however i could not see any hits using the command show counter global name flow_parse_l4_tcpsynfin.
Is there any way to see the zone protection logs.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:34 PM
Hi Westcon,
Zone Protection has ability to block port scan. You can find all relevant configuration in following link.
Let us know for additional granular information.
Regards,
Hardik Shah
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:36 PM
Hi Westcon,
You can find zone protection logs in Monitor > Threat.
It seems Nmap may not be crossing zone protection scan limit/second.
Would you share zone protection configuration along with Nmp scan rate ?
Regards,
Hardik Shah
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:36 PM
Do you see any drops in the output of this command:
show zone-protection zone <zone-name>
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:47 PM
I am using two firewalls. once is having an old setup and the other recently deployed.
The out put of the command show counter global name flow_parse_l4_tcpsynfin is as below.
My question is that does the firewall have the ability to drop the synfin packets automatically or do we need to apply the zp or dos policy.
Below is the output
Firewall 1 without zone protection
Name: flow_parse_l4_tcpsynfin
Value: 5709
Severity: Drop
Category: flow
Aspect: parse
Desciption: Packets dropped: invalid TCP flags (SYN+FIN+*)
Firewall 2
admin@Lab-Firewall> show counter global name flow_parse_l4_tcpsynfin
Name: flow_parse_l4_tcpsynfin
Value: 0
Severity: Drop
Category: flow
Aspect: parse
Desciption: Packets dropped: invalid TCP flags (SYN+FIN+*)
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:49 PM
Hi Westcon,
Provide us following output. Whic will list all kind of latest drop.
1. Execute command "show counter global filter delta sev drop"
2. Run NMAP
3. Run again "show counter global filter delta sev drop"
Provide us output for 3rd pointer
Regards,
Hardik Shah
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-10-2014 12:56 PM
Hi Westcon2,
If zone protection is triggered, you can see it under threat logs.
If you have flood attacks, you will Flood attacks warning as well.
- Workstations no internet after receive IP from firewall DHCP Server in General Topics
- Global protect port in Best Practice Assessment Discussions
- Global Protect update - no auto-reconnect with transparent update in GlobalProtect Discussions
- Global Protect The network connection is unreachable in VM-Series in the Public Cloud
- Issues with Global Protect and Post-vpn-connect in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
