https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235999#M45771 <P>Yup, that's true. Good point!</P> Tue, 17 Dec 2024 12:34:46 GMT JasMan 2024-12-17T12:34:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235981#M45763 <P>Hi folks,<BR /><BR />During a penetration test in our network a Nmap scan on port 80 for a complete /16 subnet was started. The source IP address was allowed to reach each IP address and excluded from the most inspections. But during the scan the load of the firewall reached 99% and the traffic flow nearly stopped.</P><P>Our service provider was not able to identify the reason. From my analyses later that day it happened due to CPAS (<A href="https://support.checkpoint.com/results/sk/sk179804" target="_blank">https://support.checkpoint.com/results/sk/sk179804</A>).</P><P>CPAS act as a responder for HTTP requests and do a 3-way-handshake for each requested IP address, regardless if the address is online or not. It keeps sessions to offline IP addresses for 30 seconds open.</P><P>That means an aggressive Nmap scan would cause a lot of parallel new connections and a high load on the firewall until it stops working.</P><P>Is this an expected behaviour? Is it possible to reduce the 30 seconds for each connection or which is the suggested value? Any other suggestions to prevent such an issue?</P><P>Thank you.</P><P>Jas Man</P> Tue, 17 Dec 2024 10:38:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235981#M45763 JasMan 2024-12-17T10:38:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235983#M45764 <P>This SK's will maybe help you out:</P> <P><A href="https://support.checkpoint.com/results/sk/sk110873" target="_blank" rel="noopener noreferrer">https://support.checkpoint.com/results/sk/sk110873</A></P> <P>This one is mostly about DDOS but it also speaks regarding port scans</P> <P><A href="https://support.checkpoint.com/results/sk/sk112241" target="_blank" rel="noopener noreferrer">https://support.checkpoint.com/results/sk/sk112241</A></P> Tue, 17 Dec 2024 10:54:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235983#M45764 Lesley 2024-12-17T10:54:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235984#M45765 <P>Using NMAP to aggressively scan the own network (best done from inside!) is an old joke that never seems to die... So this is expected behaviour.</P> Tue, 17 Dec 2024 10:54:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235984#M45765 G_W_Albrecht 2024-12-17T10:54:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235992#M45767 <P>The second SK is very interessting. I'll check. Thx.</P> Tue, 17 Dec 2024 11:56:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235992#M45767 JasMan 2024-12-17T11:56:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235993#M45768 <P>They wanted to identify unknown systems in our network which listen to http and other "bad services". I would say it's a justified action. <span class="lia-unicode-emoji" title=":smiling_face_with_halo:">😇</span></P> Tue, 17 Dec 2024 12:02:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235993#M45768 JasMan 2024-12-17T12:02:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235994#M45769 <P>So you should configure it not as an aggressive NMAP scan, but to proceed only very slowly and carefully !</P> Tue, 17 Dec 2024 12:14:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235994#M45769 G_W_Albrecht 2024-12-17T12:14:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235999#M45771 <P>Yup, that's true. Good point!</P> Tue, 17 Dec 2024 12:34:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NMAP-scan-and-CPAS/m-p/235999#M45771 JasMan 2024-12-17T12:34:46Z