This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dbran_2903
Explorer
‎2025-01-17 11:24 AM

How have you resolved port scanning issues in a VSX environment?

I have noticed that SAM Rules do not work in a VSX environment, and so far, I have not found any alternative solutions. I would like to prevent port scanning on a specific Virtual System. While the Core Protection 'Host Port Scan' signature does exist and can be modified from 'Inactive' to 'Accept,' according to SK110873, a SAM Rule must be created for it to take effect. What other solutions exist to address this issue?

 

Topology:

-Maestro enviroment

-Security Group as VSX mode (4 Gateways)

-Many Virtual Systems is running

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2025-01-17 02:44 PM

The only thing the "prevention" does is issue a block to the relevant IP address (why it needs a SAM rule).
You can do something similar with rate limiting: https://support.checkpoint.com/results/sk/sk112454
Granted, it's not tied to the specific Core Protection, though.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-01-18 04:23 AM

Can you share the SAM rule config? I am not aware this should not work on VSX. PS I am struggling with the same issue. 

I am trying to get SAMv2 working for port scan. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-01-18 05:57 AM

Any more specifics you can share on the scans you're attempting to guard against?

https://community.checkpoint.com/t5/Security-Gateways/Block-all-Shodan-scanners/m-p/113338

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-01-18 07:30 AM

I'm assuming this is a concern because VSX does not support automatically growing the connections table, and must be set to a fixed value that can be overflowed by a port scan's traffic that is accepted.

As already mentioned in the thread, you can use the fwaccel dos rate command to limit the number of new connections allowed per second, just make sure you execute this in the proper VS context (also check the new-conn-rate-ratio option to see if that would be more appropriate):

fwaccel dos rate add -a d -l a service any source X.X.X.X/24 destination any new-conn-rate 20

Another option is to ensure the Inspection Setting signature "Aggressive Aging" is enabled in the Inspection Settings profile your VS gateway is using, then configure it even more aggressively than the defaults like below.  You could even drop the default trigger percentage from 80% to something like 50% if you want to get even more aggressive, doing so should keep port scans from causing a major disruption:

aggressive.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events