Palo Alto Networks Knowledgebase: Port scan report shows all TCP ports are open

Port scan report shows all TCP ports are open

9280
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:04 AM
Policy
Symptom

Symptoms

Even though the security policy is configured to block all TCP ports from Untrust to Trust zone, when running a port scan from Internet, report shows all TCP ports are open.

Diagnosis

 

The firewall is configured with a destination NAT and security policy to allow only HTTP and HTTPS connections to an internal server from the Internet, however when a port scan is done from the Internet, the port scan report shows that all TCP ports are open.

 

These symptoms are triggered because of SYN-Cookie feature configured in the zone protection profile for untrust/external zone. When the firewall recevies a SYN packet and if the SYN-Cookie feature is activated, the firewall will send a SYN-ACK and wait for an ACK from the client before processing the connection, which also involes inspecting the security policy.

 

Please reference this document to learn more about SYN-Cookie feature in detail:

https://live.paloaltonetworks.com/t5/Management-Articles/SYN-Cookie-Operation/ta-p/57117

 

Any TCP port scanning tool that determines the port status based on TCP SYN-ACK packet will show all TCP ports as open.



Resolution

The above behvior is working as expected and in order to avoid this you can do one of the following options.

 

  • Disable SYN flood protection.
  • Change the Action from SYN Cookie to Random Early Drop.
  • Increase the threshold for activation. 

 

Please follow the below steps to tweak these changes. Before making these changes take Network security into consideration.

 

From the GUI

Go to Network Tab > Zone Protection Profile > select the appropriate Zone Protection Profile > Flood Protection.

 

doc-71843-2.png

 

From the CLI:

To change from SYN-Cookie to random early drop:

> configure

# delete network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies

# commit

# exit

 

To change the activation rate:

> configure

set network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies activate-rate "value"

# commit

# exit



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language