https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198676#M66697 <P>If you have Smartevent, utilizing a response for external IP Sweeps to block the source IP address for a time you determine works great.&nbsp; I would advise the first time you do enable the feature in Smartevent, enable a response with an email to you so you can see the volume and make sure you would not block legitimate sources.&nbsp; Using Playblocks, in the portal.checkpoint.com, they have some automations for blocking that maybe what you are looking for if you do not have Smartevent. Obviously, you would need a license for Smartevent or Playblocks.</P> Wed, 22 Nov 2023 15:14:56 GMT JoSec 2023-11-22T15:14:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198185#M66692 <P>Hello, I have a question, currently we se sweep scan logs, we have&nbsp; already configured the Host port Scan but it appears in Detect mode, it there a way to verify that it is actually blocking or is it normal that the logs show it in Detect mode and not Prevent mode ?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 16 Nov 2023 18:23:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198185#M66692 Elias 2023-11-16T18:23:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198200#M66693 <P>The URL below, indicates the signature will only alert to the activity but not block. You can utilize Smartevent which will use SAM rules to block an IP address for configurable amount of time for IP Sweeps, port scans and other detections.&nbsp;</P><P><A href="https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.30/SmartConsole_OLH/EN/jj4esSF9GWk3-Am1vs1tNQ2" target="_blank">https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.30/SmartConsole_OLH/EN/jj4esSF9GWk3-Am1vs1tNQ2</A></P> Thu, 16 Nov 2023 20:05:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198200#M66693 JoSec 2023-11-16T20:05:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198201#M66694 <P>Makes sense, as it does not give option to block it from IPS protection itself in smart console.</P> <P>Andy</P> Thu, 16 Nov 2023 20:48:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198201#M66694 the_rock 2023-11-16T20:48:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198672#M66695 <P>So what can I do to block this type of scanning ??&nbsp;</P><P>&nbsp;</P> Wed, 22 Nov 2023 14:59:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198672#M66695 Elias 2023-11-22T14:59:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198673#M66696 <P>Maybe better to open TAC support case to get an official answer.</P> <P>Regards,</P> <P>Andy</P> Wed, 22 Nov 2023 15:03:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198673#M66696 the_rock 2023-11-22T15:03:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198676#M66697 <P>If you have Smartevent, utilizing a response for external IP Sweeps to block the source IP address for a time you determine works great.&nbsp; I would advise the first time you do enable the feature in Smartevent, enable a response with an email to you so you can see the volume and make sure you would not block legitimate sources.&nbsp; Using Playblocks, in the portal.checkpoint.com, they have some automations for blocking that maybe what you are looking for if you do not have Smartevent. Obviously, you would need a license for Smartevent or Playblocks.</P> Wed, 22 Nov 2023 15:14:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198676#M66697 JoSec 2023-11-22T15:14:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198707#M66698 <P>We are examining how to add this as a new automation to Horizon Playblocks.</P> <P>It already includes automations to block attacks and scans such as:</P> <DIV class="titleAutomation lia-indent-padding-left-30px"><STRONG>Block common scanner identified by IPS</STRONG></DIV> <DIV class="titleAutomation lia-indent-padding-left-30px">&nbsp;</DIV> <DIV class="titleAutomation lia-indent-padding-left-30px"><STRONG><SPAN>The automation blocks scanners across the organization and is triggered by scans that are detected by IPS with very high confidence. The block can be automatic, or upon admin's approval. The notification includes information on the scan and the scanner. More parameters can be set using the automation parameters such as the block duration, whether the block is automatic or upon admins' approval, and more.</SPAN></STRONG></DIV> <DIV class="titleAutomation">&nbsp;</DIV> <P><A href="https://www.checkpoint.com/horizon/playblocks/" target="_blank">https://www.checkpoint.com/horizon/playblocks/</A></P> <P>&nbsp;</P> Wed, 22 Nov 2023 21:00:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Sweep-Scan-preventing/m-p/198707#M66698 Tal_Paz-Fridman 2023-11-22T21:00:12Z