6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions

Information

Enable all three scan options in a Zone Protection profile. Do not configure an action of Allow for any scan type. The exact interval and threshold values must be tuned to the specific environment. Less aggressive settings are typically appropriate for trusted zones, such as setting an action of alert for all scan types.

Attach appropriate Zone Protection profiles meeting these criteria to all zones. Separate Zone Protection profiles for trusted and untrusted zones is a best practice.

Rationale:

Port scans and host sweeps are common in the reconnaissance phase of an attack. Bots scouring the Internet in search of a vulnerable target may also scan for open ports and available hosts. Reconnaissance Protection will allow for these attacks to be either alerted on or blocked altogether.

Impact:

Not configuring a Network Zone Protection Profile leaves an organization exposed to common attacks and reconnaissance from untrusted networks.

Solution

Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection.
Set TCP Port Scan to enabled, its Action to block-ip, its Interval to 5, and its Threshold to 20. For block-ip, set the 'Track By' is set to source and 'Duration' is set to 600 seconds.
Set Host Sweep to enabled, its Action to block, its Interval to 10, and its Threshold to 30.
Set UDP Port Scan to enabled, its Action to alert, its Interval to 10, and its Threshold to 20.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|12.4, CSCv7|13.3

Plugin: Palo_Alto

Control ID: 6a9d91f12f3c0e2b10686f463dd26d2f9858d55396739465dcf45c810ecf0f65