Palo Alto Networks Knowledgebase: Zone Protection Profile Not Generating Logs During Penetration Scan

Zone Protection Profile Not Generating Logs During Penetration Scan

5576
Created On 02/08/19 00:02 AM - Last Updated 02/08/19 00:02 AM
Resolution

Overview

When deploying Zone Protection profiles to detect penetration scans, the corresponding traffic must be allowed by Security Policies. Otherwise, the Zone Protection profiles will not generate threat logs and the offending traffic will be dropped because of security rule that denies the traffic.

 

Details

An example Zone Protection Profile is shown below. The name of this profile is "Test-Zone-Prot".

  1. Flood Protection tab:
    zone-prot-flood.png
  2. Reconnaissance Protection tab:
    Screen Shot 2013-11-04 at 7.37.00 PM.png
  3. Packet Based Attack Protection tab:
    Screen Shot 2013-11-04 at 7.37.11 PM.png

 

The above Zone Protection profile, "Test-Zone-Prot", is applied to the zone for are penetration scanning. The goal is to enable scanning on ethernet1/3:

zone-prot-apply.png

 

Security Policy Set to Allow Traffic

For demonstration purposes, the active Security Policy is set to allow all traffic. This would typically not be the case for production environments.

sec-allow.png

With the above configuration, the first NMAP penetration scan results are as follows:

scan-allow.png

The resulting Threat logs (Monitor > Logs > Threat) are shown below:
threat-log-allow.png

As seen above, the Zone Protection Profile is enabled and functions as expected.

 

Security Policy Set to Deny Traffic

If there is no security policy to allow traffic to the target interface then this prevents the zone protection to create threat logs during penetration scan on that interface.

In this configuration, the last Security Policy is configured to deny traffic.

sec-deny.png

The results for an NMAP penetration scan for this configuration is shown below:

scan-deny.png

The resulting Threat Logs are empty:

threat-log-deny.png

There are no threat logs as the traffic was dropped immediately by the "deny" security policy.

 

Note: There will only be entries in the Threat logs due to a Zone Protection profile, if the scans are run against "open ports" on the external zone.

 

owner: cchristiansen



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbCCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language