topic Re: How can I avoid "Host Port" scan? in Firewall and Security Management

How can I avoid "Host Port" scan?

Carlos_Jara — Sat, 11 Aug 2018 08:44:24 GMT

Hi,

We have a lot of "Host Port Scan" events in.

How can I avoid "Host Port Scan"?

In "Core Protecctions" we can only choice between "Accept" & "Inactive".

Could youo help me?

Re: How can I avoid "Host Port" scan?

ED — Mon, 13 Aug 2018 07:33:18 GMT

Hi,

Take a look at this SK How to configure Security Gateway to detect and prevent port scan

Re: How can I avoid "Host Port" scan?

MartijnElzenaar — Mon, 13 Aug 2018 10:16:24 GMT

What do you mean by avoid? On the internet there's almost no way to avoid it, it happens all the time and everywhere.

Keep in mind that a portscan could be a first phase of an attack, looking at the cyber kill chain (reconnaissance). The amount of info can be annoying if it happens frequently but I would always keep this logged. Unless it's false positive (which I doubt).

I believe that the protection is enabled by default only for the strict profile.

HTH

/Martijn

Re: How can I avoid "Host Port" scan?

Vladimir — Mon, 13 Aug 2018 15:16:36 GMT

Use options 4 or 5, depending on the desired outcome.

Re: How can I avoid "Host Port" scan?

Olga_Kuts — Fri, 05 Oct 2018 06:47:21 GMT

Hi Vladimir,

What mechanisms use this method? Is this method relevant for VSX infrastructure? For example, we try to use method which Enis Dunic described, but VSX doesn't support SAM mechanism.

Re: How can I avoid "Host Port" scan?

Ofir_Shikolski — Sat, 06 Oct 2018 13:06:18 GMT

VSX R80.20 does support the "fwaccel dos" commands

'fwaccel dos' and 'fwaccel6 dos'

fwaccel dos pbox

fwaccel dos whitelist

'fwaccel dos blacklist' and 'fwaccel6 dos blacklist'

'fwaccel dos rate' and 'fwaccel6 dos rate'

'fw sam_policy add' and 'fw6 sam_policy add'

fw sam_policy add' and 'fw6 sam_policy add'

Description

The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:

Add one Suspicious Activity Monitoring (SAM) rule at a time.
Add one Rate Limiting rule at a time.

Notes:

You can run these commands interchangeably: 'fw sam_policy add' and 'fw samp add'.
Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
The SAM Policy management file is $FWDIR/database/sam_policy.mng.
You can run these commands in Gaia Clish, or Expert mode.
Configuration you make with these commands, survives reboot.
VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.
On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
In Cluster, you must configure the SecureXL in the same way on all of the cluster members.

Re: How can I avoid "Host Port" scan?

Vladimir — Sat, 06 Oct 2018 13:19:54 GMT

Hmm... I really am not sure what the underlying mechanism is.

Can someone from Check Point answer this question:

When scanning or DOS rules are configured in the SmartEvent with the action set to "Block Source" how is it executed in simple (i.e. single gateway or cluster) and in VSX environments?

Re: How can I avoid "Host Port" scan?

Ofir_Shikolski — Sat, 06 Oct 2018 15:03:25 GMT

fw sam

SAM Requests are stored in the kernel table sam_requests on the Security Gateway.
IP Addresses that are blocked by SAM rules, are stored in the kernel table sam_blocked_ips on the Security Gateway.

sam_alert:
This tool executes FW-1 SAM actions according to information received through Standard input.
This tool is to be used for executing FW-1 SAM actions with FW-1 User Defined alerts mechanism.

sam_alert -t 120 -I -src :

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

HTH,

Ofir S

Re: How can I avoid "Host Port" scan?

Vladimir — Sat, 06 Oct 2018 18:31:49 GMT

If the SmartEvent actions are supposed to trigger SAM rules, is there enough intelligence in them to execute on VSX?

Re: How can I avoid "Host Port" scan?

Berry_Smith — Thu, 11 Oct 2018 08:30:17 GMT

This Host port scan provides many features as I know this is Shows the open TCP ports, services, and version information, Includes operating system information and reverse DNS results, The original Nmap output is also included.

Re: How can I avoid "Host Port" scan?

Olga_Kuts — Thu, 18 Oct 2018 08:35:04 GMT

Hi Vladimir,

One more question: where can I see IP addresses, which were blocked?

Re: How can I avoid "Host Port" scan?

Vladimir — Thu, 18 Oct 2018 11:41:20 GMT

It should be in a SmartEvent view, not the SmartLog.

Re: How can I avoid "Host Port" scan?

Olga_Kuts — Tue, 23 Oct 2018 17:38:41 GMT

Hi Vladimir,

Yes, I understand this, but as I understand I will see only some events. Where can I see a list of blocked IPs by "Port Scan" signature?

Re: How can I avoid "Host Port" scan?

Vladimir — Tue, 23 Oct 2018 19:38:19 GMT

I am actually not certain that you can see it in the list format. If the scan is blocked by creating a SAMP rule, and I do not see any other way it can be done without policy installation, it is added to the gateways kernel table.

You can see them using "fw tab -t sam_blocked_ips" in hex, but will have translate the output to readable yourself.

Alternatively, you can see the rules and the IPs blocked by SAMP here:

Re: How can I avoid "Host Port" scan?

Diego_dg — Fri, 12 Jun 2020 06:22:43 GMT

Hi! is it possible to set the automatic SAM rules only on some of the Security Gateways managed by this Security Management Server? I mean, in a situation where IPS is only enabled on the external GWs and detecting only incoming sweeps, and port scans arriving to the external interfaces from the internet, then there is no reason for setting the automatic SAM rules on the internal Gateways...

Best regards

Re: How can I avoid "Host Port" scan?

Diego_dg — Fri, 12 Jun 2020 07:26:18 GMT

I have just seen that you can specify on sam_alert command the gateways or group of gateways on which you want to apply the rules, I think it should be someting such us:

sam_alert -t 120 -f <nameGWs> -l src

Re: How can I avoid "Host Port" scan?

Thomas_Walter — Fri, 22 Jan 2021 08:57:55 GMT

Hello Vladimir,

we are using R80.40 and i can't see that this Smart Event Policy will do anything.

This means that the behavior is the same whether I use the tool or not. Can you tell me if you can be preventing some scans with this ?

Can i troubleshoot this somehow ?

Many Thanks

thomas

Re: How can I avoid "Host Port" scan?

Thomas_Walter — Fri, 22 Jan 2021 09:24:16 GMT

Hello Berry, i know what scans are.

To make it sure... I can identify over IPS the Host Port Scans and the Sweep Scans, but i´m not able to prevent them. Neither with Smart Event or with "sam_alert -t 120 -l src" in Global Properties as Alert. Since I don't have much experience with checkpoint, I'm trying to figure out what I need to do differently to stop these scans. I was hoping that other people here also had this problem and could give me some help or ideas to make that is working. As I said: In smart event i have all scans with automatic replays configured. (Block source and block event activity - Source all Internet to any) AND i have configured what was recommended in the sk110873. But if i look " fw tab -t sam_blocked_ips" the table is still empty and the scan is to see in SMART LOG as Alert and IDS detect. Now i try to understand why checkpoint can identify the scan but what i have to do more to prevent.

If you have a idea , it would be create.

Thanks thomas

Re: How can I avoid "Host Port" scan?

bryanastudillo — Mon, 12 Sep 2022 17:03:30 GMT

Hello,

Has anyone been able to block port scan in VSX?