🔍 Palo Alto Networks Reconnaissance Protection
Reconnaissance Protection is a feature within Palo Alto Networks' Zone Protection Profiles designed to detect and mitigate network scanning activities, such as port scans, host sweeps, and IP protocol scans. These activities are often precursors to more targeted attacks and can be effectively managed using this feature.
1. Types of Reconnaissance Scans
-
Port Scans:
Attempts to discover open TCP or UDP ports on a single host.
-
Host Sweeps:
Scans a range of IP addresses to identify hosts with specific open ports.
-
IP Protocol Scans:
Probes different IP protocols to identify supported services on a host.
Source:
Reconnaissance Protection - Palo Alto Networks Documentation
2. Configuration Options
For each scan type, administrators can configure the following parameters:
-
Action:
Determines the response when a scan is detected. Options include:
-
Allow
– Permits the scan without any action.
-
Alert
– Logs the scan activity for monitoring purposes.
-
Block
– Drops subsequent packets from the source for the remainder of the interval.
-
Block IP
– Drops all packets from the source IP for a specified duration (1–3,600 seconds). Requires setting:
-
Track By:
Specifies whether to track by source or source-and-destination IP.
-
Duration:
Time in seconds to block the IP.
-
Interval:
Time frame in seconds during which the threshold is evaluated.
-
Threshold:
Number of scan events within the interval that triggers the configured action.
-
Source Address Exclusion:
Allows up to 20 IP addresses or address objects to be exempt from reconnaissance protection, useful for legitimate scanning activities like internal vulnerability assessments.
Source:
Configure Reconnaissance Protection - Palo Alto Networks Documentation
3. Best Practices
-
Baseline Normal Traffic:
Understand typical network behavior to set appropriate thresholds and intervals, minimizing false positives.
-
Use Alert Mode Initially:
Start with the
Alert
action to monitor scan activities without blocking, allowing for fine-tuning of thresholds.
-
Implement Source Address Exclusions:
Exclude trusted IPs used for legitimate scanning to prevent unnecessary blocking.
-
Regularly Review Logs:
Monitor threat logs to identify patterns and adjust configurations as needed.
-
Apply to Ingress Zones:
Ensure Reconnaissance Protection is applied to all zones where external traffic enters the network.
4. Considerations for PCNSE Exam
The PCNSE exam may assess knowledge on:
-
Understanding the purpose and function of Reconnaissance Protection.
-
Configuring appropriate actions, thresholds, and intervals for different scan types.
-
Implementing source address exclusions for legitimate scanning activities.
-
Interpreting threat logs related to reconnaissance activities.
-
Applying best practices to real-world scenarios.
Familiarity with these aspects will aid in both exam performance and practical application.