Palo Alto Networks Knowledgebase: Host Sweep Triggering Method in Zone Protection Profile

Host Sweep Triggering Method in Zone Protection Profile

16950
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:00 AM
Mobile Network Infrastructure
Resolution

Overview

The following example explains how the "Host sweep" feature is triggered in Palo Alto Networks Firewalls. Host sweep can be located under the Zone Protection Profile in the Network tab.

  1. Go to Network > Zone Protection > Add a profile. For example: Go to abc > under Reconnaissance Protection tab, configure the Host Sweep as 50 seconds Interval + 60 events Threshold.
    zone protection reconnaissance test setting.png

  2. Run a NMAP tool to scan for 50 IP addresses, which will complete in 42 seconds. Threat logs will be generated.

Test_6.png

Note: Make sure to associate zone-protection with appropriate zone.

 

Cause

Host sweep protection is based on the scanning activity counted per the time interval specified. Palo Alto Networks excludes destination IP addresses as a criteria and tabulates sweep events. A Host Sweep will trigger regardless of the number of IP addresses as long as it crosses the threshold value for a single host.

 

owner: pchanda



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZhCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language