12-20-2021 05:05 AM
Our Zone Protection | Hoist Sweep configuration was blocking Internet connections on some local hosts due to enabled "News and Interests" Windows 10 Toolbar. I hope this helps with troubleshooting.
12-20-2021 05:10 PM
It would depend on how the zone protection is configured. For the traffic from Trust to Untrust, it shouldn't be too strict especially when it's configured with "Block IP" action.
I'd also suggest to check the traffic log or sessions to see what kind traffic is matching with the condition. You may also want to capture packets on the Windows 10 machine with/without "News and Interests" toolbar enabled.
For your reference:
How do I analyze alerts for SCAN: Host Sweep (8002)?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBioCAG
12-21-2021 07:53 AM
Yes I agree with the @ymiyashita it is tricky to get the right balance when applying the zone protection to any trusted zones, especially ones that have user internet traffic behind them as often applications will be trying to connect to any number of endpoints and normally the health of these is decided by pinging a port or an IP,
For instance PIA or private internet access pings pretty much all it's endpoints constantly to check if they are available and does this even if it is not switched on.
The only way to apply this is to, over time adjust the levels to the point where you have a baseline of normal volumes and then you can allow for anomalies to activate the protections.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
