Palo Alto Networks Knowledgebase: Port scan report shows all TCP ports are open

Port scan report shows all TCP ports are open

Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:04 AM


Even though the security policy is configured to block all TCP ports from Untrust to Trust zone, when running a port scan from Internet, report shows all TCP ports are open.



The firewall is configured with a destination NAT and security policy to allow only HTTP and HTTPS connections to an internal server from the Internet, however when a port scan is done from the Internet, the port scan report shows that all TCP ports are open.


These symptoms are triggered because of SYN-Cookie feature configured in the zone protection profile for untrust/external zone. When the firewall recevies a SYN packet and if the SYN-Cookie feature is activated, the firewall will send a SYN-ACK and wait for an ACK from the client before processing the connection, which also involes inspecting the security policy.


Please reference this document to learn more about SYN-Cookie feature in detail:


Any TCP port scanning tool that determines the port status based on TCP SYN-ACK packet will show all TCP ports as open.


The above behvior is working as expected and in order to avoid this you can do one of the following options.


  • Disable SYN flood protection.
  • Change the Action from SYN Cookie to Random Early Drop.
  • Increase the threshold for activation. 


Please follow the below steps to tweak these changes. Before making these changes take Network security into consideration.


From the GUI

Go to Network Tab > Zone Protection Profile > select the appropriate Zone Protection Profile > Flood Protection.




From the CLI:

To change from SYN-Cookie to random early drop:

> configure

# delete network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies

# commit

# exit


To change the activation rate:

> configure

set network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies activate-rate "value"

# commit

# exit

  • Print
  • Copy Link

Choose Language