01-26-2016 12:07 AM
HI
I have a question related to zone protection. I am having a company doing vulnerability scanning on my system and I want to be able to disable zone protection only for the IP's of the scanner. What would be the best way to acomplish this? Any help much apreciated. At the moment there is one zone protection profile that is applied to my "External" zone.
Regards
Jakob
01-26-2016 12:52 AM
Hi,
As far as I know, only if you have an option to add this IP to a different zone, it's possible to bypass the scanning. Otherwise, there is no straightforward way to achieve this.
I do know there is a feature request (FR) for this already. Please reach out to your local SE and ask him to vote for the FR.
Regards,
-Kim.
01-26-2016 07:39 AM
Hello,
We do our own periodic scanning and I also ran into this. The work around I used was on the scanner. I set it with the lowest/slowest possible settings so it would not trigger the zone protection. Not the greatest since an actor can use this to scan us, but it was the only way.
Regards,
01-29-2016 01:10 AM
I'm pretty sure that zone protection will never work based on source/destination.
As those packets are thrown away before being processed in that level.
If you want this functionality then you should use DoS policy where you can exactly specify source(s) and destination(s).
What you lack with DoS is misformated packets (fragmented traffic, ping of death etc).
01-26-2016 12:52 AM
Hi,
As far as I know, only if you have an option to add this IP to a different zone, it's possible to bypass the scanning. Otherwise, there is no straightforward way to achieve this.
I do know there is a feature request (FR) for this already. Please reach out to your local SE and ask him to vote for the FR.
Regards,
-Kim.
01-26-2016 07:35 AM
zone protection policies are "zone based" so you don't have capability to exclude some specific ip address.
01-26-2016 07:39 AM
Hello,
We do our own periodic scanning and I also ran into this. The work around I used was on the scanner. I set it with the lowest/slowest possible settings so it would not trigger the zone protection. Not the greatest since an actor can use this to scan us, but it was the only way.
Regards,
01-28-2016 07:02 AM
Hi Kim
Many thanks for this, I asked my SE to vote for the feature.
Kind Regards
Jakob
01-28-2016 07:03 AM
Hi Otakar
Thanks for this, yes I guess this could also be used as a "workaround" untill PaloAlto gives us a more permanent solution
Regards
Jakob
01-29-2016 01:10 AM
I'm pretty sure that zone protection will never work based on source/destination.
As those packets are thrown away before being processed in that level.
If you want this functionality then you should use DoS policy where you can exactly specify source(s) and destination(s).
What you lack with DoS is misformated packets (fragmented traffic, ping of death etc).
03-28-2016 11:18 AM
Can someone produce the FR # for this?
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
