Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Theo
Collaborator

Port scan from external network

Jump to solution

Hi guys,

 

We received this from our regular Global Correlated Events report and curious how to prevent the Port scan from external network. The action is Accepted and we'd like to know where to adjust this? I know this activity is very risky as obviously the source is suspicious.

Is there any way I can monitor in live the possible similar Event name?

Appreciate your idea where and how to adjust and prevent this? Thanks in advance.

 

Global_Correlated_Events_Oct_14__2019_7_00_00_AM_pdf.jpg

 

Cheers!

Darius

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion

Hi @Theo,

IPS collects statistics on how many inactive ports were accessed during a given time. For example, if IPS detects a client attempting to access a hundred different inactive ports within a 30 second time frame, IPS will recognize this behavior as a port scan attack. It will then log the event, or notify you (depending on the Action you select in this page).

Enable IPS protection "Host Port Scan" to detect port scan on R80.X:

1) In SmartConsole under Security Policy tab, go to the Threat Prevention rule base.

2) On the bottom go to Threat Tool and choose IPS protection.

3) Go to the Search bar and look for Host Port Scan.

4) Edit the protection and choose the right Profile of the Firewall

5) Edit the profile and set the Logging setting from Log to User Alert according to the User Alert configured in the General Properties.


Configure an automatic SAM rule to close the port scanning connections:

1) In SmartDashboard/SmartConsole, go to Policy menu - click on Global Properties...

2) Expand Log and Alerts - click on Alerts

3) Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)

4) Add an automatic SAM rule:

sam_alert -t 120 -I -src

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

5) Click on OK to apply the changes

Now configure the Security Gateways to send Alerts and install policy:

1) Configure the Security Gateways to send Alerts to the Security Management Server / Multi-Domain Management server per sk114630.

2) Install policy on all managed Security Gateways.

3) Connect with SmartView Monitor to Security Management Server / Domain Management Server - go to Tools menu - click on Alerts....

 

 

 

View solution in original post

8 Replies
Danny
Champion
Champion

You can find this within the IPS Protection settings. There, just search for: Port Scan

0 Kudos
Theo
Collaborator

Hi Danny,

Do you have idea how to prevent this? I noticed many attempts of Port scan from external network have "Accept" actions in our different gateways/site.

 

Port Scan from External Network.jpg

0 Kudos
HeikoAnkenbrand
Champion
Champion

Hi @Theo,

IPS collects statistics on how many inactive ports were accessed during a given time. For example, if IPS detects a client attempting to access a hundred different inactive ports within a 30 second time frame, IPS will recognize this behavior as a port scan attack. It will then log the event, or notify you (depending on the Action you select in this page).

Enable IPS protection "Host Port Scan" to detect port scan on R80.X:

1) In SmartConsole under Security Policy tab, go to the Threat Prevention rule base.

2) On the bottom go to Threat Tool and choose IPS protection.

3) Go to the Search bar and look for Host Port Scan.

4) Edit the protection and choose the right Profile of the Firewall

5) Edit the profile and set the Logging setting from Log to User Alert according to the User Alert configured in the General Properties.


Configure an automatic SAM rule to close the port scanning connections:

1) In SmartDashboard/SmartConsole, go to Policy menu - click on Global Properties...

2) Expand Log and Alerts - click on Alerts

3) Check the box Run UserDefined script (under Send user defined alert no.1 to SmartView Monitor)

4) Add an automatic SAM rule:

sam_alert -t 120 -I -src

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

5) Click on OK to apply the changes

Now configure the Security Gateways to send Alerts and install policy:

1) Configure the Security Gateways to send Alerts to the Security Management Server / Multi-Domain Management server per sk114630.

2) Install policy on all managed Security Gateways.

3) Connect with SmartView Monitor to Security Management Server / Domain Management Server - go to Tools menu - click on Alerts....

 

 

 

View solution in original post

Thomas_Walter
Participant

Hello Heiko,

We have implemented this exactly as described to the SK. We are Using R80.40.
But the only thing that happens is that the event is now displayed as an alarm.
The command in Global Properties does not seem to be executed.

If i check that with:

[Expert@cp-fw-01:0]# fw sam_policy get -l | grep 94.102.x.x

[Expert@cp-fw-01:0]#   // there is no answer

Maybe you have a idea why sam_alert is not working ?

I am new with checkpoint and i will be very grateful for hints.

 

Best Regards

 

Thomas

0 Kudos
Thomas_Walter
Participant

Hello Heiko,

not working by us. We have executed as described in the SK, but the scan is not blocked.

Scan is showing as Alert but no prevention.

 fw sam_policy get | grep <scanIP> will also not found in SAM.

 

Have you got a idea why it is not working or how i can troubleshoot this ?

Sorry but i am a newbie with checkpoint. 

Many Thanks 

Thomas 

 

0 Kudos
Durin
Contributor

Hi,

Curious if you have found a solution to this issue ? I am about to implement it myself but it is same, i see the alerts but no blocking.

Br, Rickard

0 Kudos
Thomas_Walter
Participant

Hallo Durin,

be us this behaviour has been changed since we have disabled the hidden Member function.

"This is new with R80.40"

[Expert@admin]# fw ctl get int fwha_cluster_hide_active_only, 
It should return with the value "1"

We had open a Ticket by CheckPoint regarding a other case, but since we have disabled this function,
the script "sam_alert -t 120 -I -src" was working now. 

After some tests... shows that is not a good Solution, behause it is poorly controllable. All your Alerts where be handelt by 

block with the SAM rule.  

Now we working with the Thread-Policy -> This is accessible in "Logs and Monitor" -> in the left lower corner ->

there is "external Apps" and there is "Smart Event Settings and Policy" 

There you can define  the internal Network, with a Group Object and you can define some actions.

(quite far down ) on the left side you will see the "attacks" . There it is now possible to assign the generated actions.

(More as one is possible, for exempel: Email information and block session)

From my point of view, it's good that I don't have to block the whole IP, but only the "attack-action" with this IP.

(in case of false positive, mybe a customer will have a own test 🙂

Please Note: after the upgrade to R80.40, this feature was also no longer  running by us for whatever reason,

so i have said, after we have disabled the hidden Member, is is running and the scan`s are prevented now. 

 

Best Regards

Thomas

 

0 Kudos
Luis_Miguel_Mig
Specialist

Would it be possible to use the securexl ddos penalty box at   "global settings - run userdefined  script" instead of the sam rules for  port-scan protection?

0 Kudos