cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Copper

Port scan from external network

Jump to solution

Hi guys,

 

We received this from our regular Global Correlated Events report and curious how to prevent the Port scan from external network. The action is Accepted and we'd like to know where to adjust this? I know this activity is very risky as obviously the source is suspicious.

Is there any way I can monitor in live the possible similar Event name?

Appreciate your idea where and how to adjust and prevent this? Thanks in advance.

 

Global_Correlated_Events_Oct_14__2019_7_00_00_AM_pdf.jpg

 

Cheers!

Darius

1 Solution

Accepted Solutions
Highlighted

Re: Port scan from external network

Jump to solution

Hi @Theo,

IPS collects statistics on how many inactive ports were accessed during a given time. For example, if IPS detects a client attempting to access a hundred different inactive ports within a 30 second time frame, IPS will recognize this behavior as a port scan attack. It will then log the event, or notify you (depending on the Action you select in this page).

Enable IPS protection "Host Port Scan" to detect port scan on R80.X:

1) In SmartConsole under Security Policy tab, go to the Threat Prevention rule base.

2) On the bottom go to Threat Tool and choose IPS protection.

3) Go to the Search bar and look for Host Port Scan.

4) Edit the protection and choose the right Profile of the Firewall

5) Edit the profile and set the Logging setting from Log to User Alert according to the User Alert configured in the General Properties.


Configure an automatic SAM rule to close the port scanning connections:

1) In SmartDashboard/SmartConsole, go to Policy menu - click on Global Properties...

2) Expand Log and Alerts - click on Alerts

3) Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)

4) Add an automatic SAM rule:

sam_alert -t 120 -I -src

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

5) Click on OK to apply the changes

Now configure the Security Gateways to send Alerts and install policy:

1) Configure the Security Gateways to send Alerts to the Security Management Server / Multi-Domain Management server per sk114630.

2) Install policy on all managed Security Gateways.

3) Connect with SmartView Monitor to Security Management Server / Domain Management Server - go to Tools menu - click on Alerts....

 

 

 

View solution in original post

Tags (1)
3 Replies
Highlighted
Pearl

Re: Port scan from external network

Jump to solution

You can find this within the IPS Protection settings. There, just search for: Port Scan

0 Kudos
Highlighted
Copper

Re: Port scan from external network

Jump to solution

Hi Danny,

Do you have idea how to prevent this? I noticed many attempts of Port scan from external network have "Accept" actions in our different gateways/site.

 

Port Scan from External Network.jpg

0 Kudos
Highlighted

Re: Port scan from external network

Jump to solution

Hi @Theo,

IPS collects statistics on how many inactive ports were accessed during a given time. For example, if IPS detects a client attempting to access a hundred different inactive ports within a 30 second time frame, IPS will recognize this behavior as a port scan attack. It will then log the event, or notify you (depending on the Action you select in this page).

Enable IPS protection "Host Port Scan" to detect port scan on R80.X:

1) In SmartConsole under Security Policy tab, go to the Threat Prevention rule base.

2) On the bottom go to Threat Tool and choose IPS protection.

3) Go to the Search bar and look for Host Port Scan.

4) Edit the protection and choose the right Profile of the Firewall

5) Edit the profile and set the Logging setting from Log to User Alert according to the User Alert configured in the General Properties.


Configure an automatic SAM rule to close the port scanning connections:

1) In SmartDashboard/SmartConsole, go to Policy menu - click on Global Properties...

2) Expand Log and Alerts - click on Alerts

3) Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)

4) Add an automatic SAM rule:

sam_alert -t 120 -I -src

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

5) Click on OK to apply the changes

Now configure the Security Gateways to send Alerts and install policy:

1) Configure the Security Gateways to send Alerts to the Security Management Server / Multi-Domain Management server per sk114630.

2) Install policy on all managed Security Gateways.

3) Connect with SmartView Monitor to Security Management Server / Domain Management Server - go to Tools menu - click on Alerts....

 

 

 

View solution in original post

Tags (1)