Palo Alto Networks Knowledgebase: Host Sweep Triggering Method in Zone Protection Profile
Host Sweep Triggering Method in Zone Protection Profile
16950
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:00 AM
Mobile Network Infrastructure
Resolution
Overview
The following example explains how the "Host sweep" feature is triggered in Palo Alto Networks Firewalls. Host sweep can be located under the Zone Protection Profile in the Network tab.
Go to Network > Zone Protection > Add a profile. For example: Go to abc > under Reconnaissance Protection tab, configure the Host Sweep as 50 seconds Interval + 60 events Threshold.
Run a NMAP tool to scan for 50 IP addresses, which will complete in 42 seconds. Threat logs will be generated.
Note: Make sure to associate zone-protection with appropriate zone.
Cause
Host sweep protection is based on the scanning activity counted per the time interval specified. Palo Alto Networks excludes destination IP addresses as a criteria and tabulates sweep events. A Host Sweep will trigger regardless of the number of IP addresses as long as it crosses the threshold value for a single host.