Configure Reconnaissance Protection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Reconnaissance Protection
Prevent attackers from probing your network for vulnerabilities by configuring
reconnaissance protection for IP protocol scan, UDP and TCP scans, and host
sweeps.
Where Can I Use This? | What Do I Need? |
---|---|
| For cloud-managed NGFWs: |
Malicious actors use various scanning techniques, including port scans (TCP and UDP),
host sweeps
, and IP protocol scans,
to identify and exploit network vulnerabilities. To protect your network against
these scans, configure the Reconnaissance Protection
settings of a Zone Protection profile. For each scan type, you will specify an
action and the conditions that trigger the action. For example, you can block
subsequent packets from an untrusted source if the firewall detects 1000
IP protocol
scan events from that
source within 60
seconds.The following actions are supported for each scan:
- Allow—The firewall allows the port scan, host sweep, or IP protocol scanreconnaissance to continue.
- (Default)Alert—The firewall generates an alert for each port scan, host sweep, or IP protocol scanthat matches the configured threshold within the specified time interval.
- Block—The firewall drops all subsequent packets from the source to the destination for the remainder of the specified time interval.
- Block IP—The firewall drops all subsequent packets for the specifiedDuration, in seconds (the range is 1-3,600).Track Bydetermines whether the firewall blocks source or source-and-destination traffic.
Cloud Management
Configure reconnaissance protection for IP protocol scan, UDP and TCP scans, and host
sweeps on Strata Cloud Manager.
You can configure protection against IP protocol scan, UDP or TCP scans, or host
sweeps for next-generation firewalls managed with Strata Cloud Manager.
- Configure Reconnaissance Protection.
- Select.ManageConfigurationNGFW andPrisma AccessDevice SettingsZones
- Select orAdd a Zone.If you add a zone:
- Enter aNamefor the zone.
- Select anInterface Type.
- AddorRemoveInterfaces.
- Select orCreate a NewZone Protection Profile.If you add a new Zone Protection profile:
- Enter aNamefor the profile.
- (Optional) Add a profile description.
- ConfigureFlood,Packet Based Attack,Protocol, orEthernetSGTsettings.
- SelectReconnaissanceand under Items,Enablethe scan types to protect against.
- For each scan, select anAction.If you selectBlock-IP, you must also configure theTrack-By(source or source-and-destination) andDurationoptions.
- For each scan, specify anInterval (Sec).This option defines the time interval, in seconds, for detection of the given scan type.
- For each scan, specify aThreshold (Events).The threshold defines the number of events that must be detected within the specified interval before the specified action triggers.
- (Optional) Configure the Source Address Exclusion List.Source Address Exclusions are IP addresses that you want to exclude from reconnaissance protection. You can specify up to 20 IP addresses or netmask address objects.
- ClickAddto create a new entry.
- Enter a descriptiveNamefor the address.
- Select anAddress Type.
- Specify one or moreIP Address(es).
- ClickAddto save the Zone Protection profile.
- Savethe Zone.
- Push Config.
PAN-OS
PAN-OS: Prevent attackers from probing your network for vulnerabilities by
configuring reconnaissance protection.
- Configure Reconnaissance Protection.
- Select.NetworkNetwork ProfilesZone Protection
- Select a Zone Protection profile, orAdda new profile and enter aNamefor it.
- On the Reconnaissance Protection tab, select the scan types to protect against.
- Select anActionfor each scan.If you select Block IP, you must also configure theTrack By(source or source-and-destination) andDurationoptions.
- Set theIntervalin seconds. This option defines the time interval for port scan, host sweep, and IP protocol scandetection.
- Set theThresholdfor reconnaissance events. The threshold defines the number of port scan, host sweep, or IP protocol scanevents that need to occur within the specified time interval to trigger an action.
- (Optional) Configure a Source Address Exclusion.Source Address Exclusions are IP addresses that you want to exclude from reconnaissance protection. You can specify up to 20 IP addresses or netmask address objects.Exclude only IP addresses for trusted internal groups that perform vulnerability testing.
- Addthe address you want to exclude.
- Enter a descriptiveNamefor the address.
- For Address Type, select eitherIPv4orIPv6, and then select an address object or enter one manually.
- ClickOK.
- ClickOKto save the Zone Protection profile.
- Commityour changes.
- Apply the Zone Protection profile to the appropriate zones, including zones that connect to the internet.