How to investigate "SCAN: TCP Port Scan" alerts
20878
Created On 05/05/21 22:19 PM - Last Modified 09/10/21 22:55 PM
Objective
How to investigate the reason for a "SCAN: TCP Port Scan" alert in the Threat logs.
Environment
- Palo Alto Networks Firewall.
- PAN-OS 7.1 and above.
Procedure
To observe the activity of the TCP Port Scan for which the firewall triggered
- Verify what is the currently configured Interval (Sec) defined in the Zone Protection profile applied to the ingress Zone under GUI: Network > Network Profiles > Zone Protection > (Open Zone Protection Profile associated to the ingress Zone) > Reconnaissance Protection > TCP Port Scan.
- Look and note down "Interval(sec)"
- Go to your Threat logs and take note of the 'SCAN: TCP Port Scan' alert:
- Receive Time (Timestamp)
- Source IP
- Destination IP
- Go to your Traffic logs and query the activity prior to the trigger. This will display the traffic log entries that have been tracked by the firewall during the configured Interval to trigger the 'SCAN: TCP Port Scan' detection. Use the leq and geq filters to narrow down the interval, as configured in your Zone Protection profile.
For example, if the configured interval for TCP Port Scan is 2 seconds, the source IP is 10.0.0.1, the destination IP is 192.168.0.1 and the Receive timestamp is 2021/03/31 19:19:02, then the Traffic log query filter shall look like:
( start geq '2021/03/31 19:19:00' ) and ( start leq '2021/03/31 19:19:02' )and addr.src in 10.0.0.1 ) and ( addr.dst in 192.168.0.1 )
This will result in displaying the Traffic log entries of all the connection attempts from the source to the destination during the tracked time window. Note that 'start' is used instead of 'receive_time' for timestamps because that is when the packets were first received, rather than when they were logged at session-end.
- If the observed activity is expected, then tweak the sensitivity of the TCP Port Scan detection settings under GUI:Network > Network Profiles > Zone Protection > (Open Zone Protection Profile associated to the ingress Zone) > Reconnaissance Protection > TCP Port Scan.
- If the desired action is to block the source IP carrying out a TCP Port Scan on a specific destination IP, then it is recommended to track by source-and-destination and configure a block-ip, action where a time interval for the block can be specified. Example:
Additional Information
The destination port displayed in the Threat log entry is irrelevant because the firewall will log the destination port of whatever packet happened to have crossed the tracked Threshold (Events) within the Interval (Sec) defined in the Zone Protection profile applied to the ingress Zone for TCP Port Scan.
For the 'SCAN: TCP Port Scan' alert to trigger, the traffic needs to be allowed by policy.