Information
Enable all three scan options in a Zone Protection profile. Do not configure an action of Allow for any scan type. The exact interval and threshold values must be tuned to the specific environment. Less aggressive settings are typically appropriate for trusted zones, such as setting an action of alert for all scan types.
Attach appropriate Zone Protection profiles meeting these criteria to all zones. Separate Zone Protection profiles for trusted and untrusted zones is a best practice.
Rationale:
Port scans and host sweeps are common in the reconnaissance phase of an attack. Bots scouring the Internet in search of a vulnerable target may also scan for open ports and available hosts. Reconnaissance Protection will allow for these attacks to be either alerted on or blocked altogether.
Solution
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection.
Set TCP Port Scan to enabled, its Action to 'block-ip', its Interval to '5', and its Threshold to '20'.
Set Host Sweep to enabled, its Action to 'block', its Interval to '10', and its Threshold to '30'.
Set UDP Port Scan to enabled, its Action to 'alert', its Interval to '10', and its Threshold to '20'.
or
Execute the following CLI command for each of the three scan types:
username@hostname#set network profiles zone-protection-profile
Default Value:
Not Configured