zone protecton reconnaissance not capturing obvious threat

cancel
Showing results for 
Search instead for 
Did you mean: 

zone protecton reconnaissance not capturing obvious threat

L1 Bithead

Hello,

 

We are in the initial stages of setting up zone protection renaissance, and still playing with threshold and event values (currently set to 30sec, 5event).  I am also set to block the IP, for a small amount time, as we continue to adjust and become more stringent.  I noticed within the Traffic Log the following:

 

From Traffic Log

Sherm_0-1631902886853.png

 

As you can see, over this 2 second period, we have registered 17 events.  All these events are probing the same TCP port, to 17 different internal resources, and denied via "interzone-default".  There is no threat entry for this event - I am logging other events, but not this one - as you can see below.  There may be others which I have yet to notice.

 

From Threat Log (action = block-ip)

Sherm_1-1631903470957.png

 

From my understanding and documentation read, this traffic behavior should generate a threat event, log the threat event, and block the offending IP for my current time frame.  From what I can see, none of this happened.

 

Not certain where I have gone astray, and welcome any suggestion.  I thank you in advance.

 

Sherm

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

L2 Linker

Hello @Sherm, I know with Security profiles at least that they are not addressed until after a packet is processed and allowed. I believe zone protection acts in the same way. So if a policy does not actually allow the traffic it just stops right there, it doesn't go through the rest of the process and thus doesn't generate a threat log as there is no threat, just a blocked packet. 

Network Administrator

View solution in original post

5 REPLIES 5

L2 Linker

Hello @Sherm, I know with Security profiles at least that they are not addressed until after a packet is processed and allowed. I believe zone protection acts in the same way. So if a policy does not actually allow the traffic it just stops right there, it doesn't go through the rest of the process and thus doesn't generate a threat log as there is no threat, just a blocked packet. 

Network Administrator

View solution in original post

L1 Bithead

@bafergel @Astardzhiev I thank you both for your responses. And, I apologize for my lack of knowledge in this area.

 

I did run into those documents prior to original posting, and perhaps that is where my confusion lies.  Both responses and per the KB recommended state:  "When deploying Zone Protection profiles to detect penetration scans, the corresponding traffic must be allowed by Security Policies. Otherwise, the Zone Protection profiles will not generate threat logs and the offending traffic will be dropped because of security rule that denies the traffic."  -  Which implies the malicious TCP port scan is active throughout it's lifecycle until it actually hits an open port, and must hit open port(s) with X number of events within Y number of seconds before generating a threat.

 

Yet, https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-de...  States what seems to be the more logical: "Zone protection profiles defend the network as a session is formed, before the firewall performs DoS Protection policy and Security policy rule lookups, and consume fewer CPU cycles than a DoS Protection policy or Security policy rule lookup. If a Zone Protection profile denies traffic, the firewall doesn’t spend CPU cycles on policy rule lookups."  -  Which implies what I stated in my original post... after X events within the Y second threshold, a threat would/should be generated based upon attempt, not the allowing or denying of that attempt via security policy.

 

Am I crazy, or are the above documents in opposition stating that zone protection will occur before running any security policies, but will only register a threat after running a security policy?

Hello @Sherm, I believe in that document it's stating once the zone protection profile is actually triggered. Once zone protection is triggered, say they access a resource 6 times in 30 seconds (through an allow rule), then zone protection will kick in and block them regardless of if they match an allow rule. 

Network Administrator

L1 Bithead

@bafergelThank you... I think it got through my thick skull, and understand now.  I appreciate all responses.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!