Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Theo
Collaborator

Port scan from external network

Jump to solution

Hi guys,

 

We received this from our regular Global Correlated Events report and curious how to prevent the Port scan from external network. The action is Accepted and we'd like to know where to adjust this? I know this activity is very risky as obviously the source is suspicious.

Is there any way I can monitor in live the possible similar Event name?

Appreciate your idea where and how to adjust and prevent this? Thanks in advance.

 

Global_Correlated_Events_Oct_14__2019_7_00_00_AM_pdf.jpg

 

Cheers!

Darius

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion

Hi @Theo,

IPS collects statistics on how many inactive ports were accessed during a given time. For example, if IPS detects a client attempting to access a hundred different inactive ports within a 30 second time frame, IPS will recognize this behavior as a port scan attack. It will then log the event, or notify you (depending on the Action you select in this page).

Enable IPS protection "Host Port Scan" to detect port scan on R80.X:

1) In SmartConsole under Security Policy tab, go to the Threat Prevention rule base.

2) On the bottom go to Threat Tool and choose IPS protection.

3) Go to the Search bar and look for Host Port Scan.

4) Edit the protection and choose the right Profile of the Firewall

5) Edit the profile and set the Logging setting from Log to User Alert according to the User Alert configured in the General Properties.


Configure an automatic SAM rule to close the port scanning connections:

1) In SmartDashboard/SmartConsole, go to Policy menu - click on Global Properties...

2) Expand Log and Alerts - click on Alerts

3) Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)

4) Add an automatic SAM rule:

sam_alert -t 120 -I -src

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

5) Click on OK to apply the changes

Now configure the Security Gateways to send Alerts and install policy:

1) Configure the Security Gateways to send Alerts to the Security Management Server / Multi-Domain Management server per sk114630.

2) Install policy on all managed Security Gateways.

3) Connect with SmartView Monitor to Security Management Server / Domain Management Server - go to Tools menu - click on Alerts....

 

 

 

View solution in original post

5 Replies
Danny
Champion
Champion

You can find this within the IPS Protection settings. There, just search for: Port Scan

0 Kudos
Reply
Theo
Collaborator

Hi Danny,

Do you have idea how to prevent this? I noticed many attempts of Port scan from external network have "Accept" actions in our different gateways/site.

 

Port Scan from External Network.jpg

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

Hi @Theo,

IPS collects statistics on how many inactive ports were accessed during a given time. For example, if IPS detects a client attempting to access a hundred different inactive ports within a 30 second time frame, IPS will recognize this behavior as a port scan attack. It will then log the event, or notify you (depending on the Action you select in this page).

Enable IPS protection "Host Port Scan" to detect port scan on R80.X:

1) In SmartConsole under Security Policy tab, go to the Threat Prevention rule base.

2) On the bottom go to Threat Tool and choose IPS protection.

3) Go to the Search bar and look for Host Port Scan.

4) Edit the protection and choose the right Profile of the Firewall

5) Edit the profile and set the Logging setting from Log to User Alert according to the User Alert configured in the General Properties.


Configure an automatic SAM rule to close the port scanning connections:

1) In SmartDashboard/SmartConsole, go to Policy menu - click on Global Properties...

2) Expand Log and Alerts - click on Alerts

3) Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)

4) Add an automatic SAM rule:

sam_alert -t 120 -I -src

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

5) Click on OK to apply the changes

Now configure the Security Gateways to send Alerts and install policy:

1) Configure the Security Gateways to send Alerts to the Security Management Server / Multi-Domain Management server per sk114630.

2) Install policy on all managed Security Gateways.

3) Connect with SmartView Monitor to Security Management Server / Domain Management Server - go to Tools menu - click on Alerts....

 

 

 

View solution in original post

Thomas_Walter
Participant

Hello Heiko,

We have implemented this exactly as described to the SK. We are Using R80.40.
But the only thing that happens is that the event is now displayed as an alarm.
The command in Global Properties does not seem to be executed.

If i check that with:

[Expert@cp-fw-01:0]# fw sam_policy get -l | grep 94.102.x.x

[Expert@cp-fw-01:0]#   // there is no answer

Maybe you have a idea why sam_alert is not working ?

I am new with checkpoint and i will be very grateful for hints.

 

Best Regards

 

Thomas

0 Kudos
Reply
Thomas_Walter
Participant

Hello Heiko,

not working by us. We have executed as described in the SK, but the scan is not blocked.

Scan is showing as Alert but no prevention.

 fw sam_policy get | grep <scanIP> will also not found in SAM.

 

Have you got a idea why it is not working or how i can troubleshoot this ?

Sorry but i am a newbie with checkpoint. 

Many Thanks 

Thomas 

 

0 Kudos
Reply