The following example explains how the "Host sweep" feature is triggered in Palo Alto Networks Firewalls. Host sweep can be located under the Zone Protection Profile in the Network tab.
Go to Network > Zone Protection > Add a profile. For example: Go to abc > under Reconnaissance Protection tab, configure the Host Sweep as 50 seconds Interval + 60 events Threshold.
Run a NMAP tool to scan for 50 IP addresses, which will complete in 42 seconds. Threat logs will be generated.
Note: Make sure to associate zone-protection with appropriate zone.
Cause
Host sweep protection is based on the scanning activity counted per the time interval specified. Palo Alto Networks excludes destination IP addresses as a criteria and tabulates sweep events. A Host Sweep will trigger regardless of the number of IP addresses as long as it crosses the threshold value for a single host.
owner: pchanda
Additional Information
For the 'Host Sweep' alert to trigger, the traffic needs to be allowed by policy.