I have been trying to stop our ports from showing as open on nmap as we have a very important scan happening soon. They are not open...
So I tweaked my ZoneProtection policy to make sure that RED is applied and lowered the alert threshold to a low level and even loweed the 'activate' to a really low level, and commited. Re ran nmap scan and the the same result is happening.
What ever I do I still get the same result. I have recon protection set to interval 2 and threashold 2 with the action of block-ip for 2 mins and still nmap shows the ports as open.
What am I missing?
Also any service routes attached to the external interface ;)
would this be at the top of the policies and would it not affect any services and thanks for lab'ing
I reproduced your issue in my lab to make sure I wasn't going insane, so here's what I needed to do to get my firewall go stealthy: - I created an untrust to untrust drop rule with services set to "any" (app-default will allow trickle) - set zone protection to RED as syn cookies return a cookie that the client could identify as an open port These did the trick
Sadly not as we discussed. Still getting open ports.
Did you get it to work as expected?
Create specific rules for all the services that need to come in, then set a drop rule for everything else (untrust to untrust, also untrust to dmz) , and set inbound NAT rules to specific ports only
I just need to stop us from showing open ports and I just cannot get it done 😥
Correct, the scan takes a while to kick in while a blocked port just drops the connection altogether, depends on your needs
look here...
So would that be an untrust block then?
RED is to protect against SYN floods, not scans You'd need to create security policies to drop these ports: you may currently have rules accepting "any" service, or applications with dynamic ports