Friday, January 10, 2020

Palo Alto Networks Firewall Zone Protection (DoS) and App Scope

To prevent scanning or any type Denial of Service (DoS) attack on your network, you can configure a Zone Protection profile under Network > Zone Protection > Add.


Type a Name (ZONE-PROTECTION-PROFILE-1) > under Flood Protection tab > tick all options (SYN, ICMP, ICMPv6, Other IP, UDP).


Go to Reconnaissance Protection tab > tick Enable on all three Scans (TCP Port, Host Sweep and UDP Port).


Change the Action to Block for all types of Scan.



Go to Packet Based Attack Protection tab > IP Drop > tick: Spoofed IP address , Fragmented traffic > under IP Option Drop > tick Strict Source Routing and Loose Source Routing > click OK.



To apply the Zone Protection profile, go to Network > Zones > Zone Protection Profile > select the Zone Protection Profile created earlier.


Apply the same Zone Protection Profile for the outside and dmz Security Zones.


Click Commit.


I ran Zenmap (GUI version of Nmap) on the client PC (192.168.1.20) and perform an Intense scan on the DMZ server 192.168.50.10.


To monitor for Nmap scan traffic, go to Monitor > Logs > Threat. Notice the scan under the Type column, under the Name column: SCAN: TCP Port Scan, To Port has random high number ports and Action is drop.


Click the magnifying glass icon to get a Detailed Log View.


You can use the PAN Firewall App Scope to monitor network bandwidth or observe the network behavior due to a recent network change.

To view App Scope, go to Monitor > App Scope > Summary.




To monitor network behavior due to a network change, go to Monitor > App Scope > Change Monitor.


To monitor network threats, go to Monitor > App Scope > Threat Monitor.


Click on Threat Category to change view: Threat, Threat Category, Source and Destination.


This is Threat Monitor view by Source.


This is Threat Monitor view by Destination.


This is Threat Map > Incoming threats view which is a nice dashboard that can be used in a Security Operations Center (SOC) environment.


This is Threat Map > Outgoing threats view.


This is Network Monitor view.


You can change the view for Application Category: Application, Application Category, Source and Destination.


You can change graph or chart on the upper right corner (Stacked area chart).


This is Network Monitor view by Source.


This is Network Monitor view by Destination.


This is Traffic Map view by Incoming traffic.


This is Traffic Map view by Incoming traffic. Notice the PAN Firewall location is in the middle of the ocean.


You can update the Latitude and Longitude info to pinpoint the location of the PAN Firewall under Device > Management > edit (gear icon).


Type the Latitude and Longitude info. In this case Singapore's Longitude and Latitude are 1.3521° N 103.8198° E respectively



Click Commit.

 
 
Click the PDF icon to export the selected report. In this case I'm exporting a PDF report for Traffic Map > Outgoing traffic.


Click Yes to Download Report.


You need to allow web browser pop-ups in order to view the downloaded PDF report.

Select Always allow pop-ups > Done. Click on the hyperlink to view the report. Notice the PDF report (at the bottom) was downloaded on the client machine.


You can share the PDF report to IT Management or sometimes to a non-technical person, i.e. Sales or Finance team.



No comments:

Post a Comment