@bafergel @Astardzhiev I thank you both for your responses. And, I apologize for my lack of knowledge in this area. I did run into those documents prior to original posting, and perhaps that is where my confusion lies. Both responses and per the KB recommended state: " When deploying Zone Protection profiles to detect penetration scans, the corresponding traffic must be allowed by Security Policies. Otherwise, the Zone Protection profiles will not generate threat logs and the offending traffic will be dropped because of security rule that denies the traffic." - Which implies the malicious TCP port scan is active throughout it's lifecycle until it actually hits an open port, and must hit open port(s) with X number of events within Y number of seconds before generating a threat. Yet, https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-defense-tools.html#id9f29b151-e788-4d5f-a98d-d66e38020cc6 States what seems to be the more logical: "Zone protection profiles defend the network as a session is formed, before the firewall performs DoS Protection policy and Security policy rule lookups, and consume fewer CPU cycles than a DoS Protection policy or Security policy rule lookup. If a Zone Protection profile denies traffic, the firewall doesn’t spend CPU cycles on policy rule lookups." - Which implies what I stated in my original post... after X events within the Y second threshold, a threat would/should be generated based upon attempt, not the allowing or denying of that attempt via security policy. Am I crazy, or are the above documents in opposition stating that zone protection will occur before running any security policies, but will only register a threat after running a security policy?
... View more
Hello, We are in the initial stages of setting up zone protection renaissance, and still playing with threshold and event values (currently set to 30sec, 5event). I am also set to block the IP, for a small amount time, as we continue to adjust and become more stringent. I noticed within the Traffic Log the following: From Traffic Log As you can see, over this 2 second period, we have registered 17 events. All these events are probing the same TCP port, to 17 different internal resources, and denied via "interzone-default". There is no threat entry for this event - I am logging other events, but not this one - as you can see below. There may be others which I have yet to notice. From Threat Log (action = block-ip) From my understanding and documentation read, this traffic behavior should generate a threat event, log the threat event, and block the offending IP for my current time frame. From what I can see, none of this happened. Not certain where I have gone astray, and welcome any suggestion. I thank you in advance. Sherm
... View more