Sophos XG SFOS 16.01 - Anti-Portscan?

Hi Luk and Mike,

Take a look at my guide here. Now, start a port scan on XG and take a drop packet capture. You can see a denied log id=0103021, check the system log format attached to my guide. This is the denied entry for appliance access.

By default, XG will drop such traffic unless the ports are explicitly allowed through the device access option.

Hope that helps :)

Hi Luk and Mike,

Take a look at my guide here. Now, start a port scan on XG and take a drop packet capture. You can see a denied log id=0103021, check the system log format attached to my guide. This is the denied entry for appliance access.

By default, XG will drop such traffic unless the ports are explicitly allowed through the device access option.

Hope that helps :)

Thanks Sachin.

Anti-port scan requires an additional module so the system knows when an attacker is trying to find open ports and so block the attacker to go ahead. We know that XG blocks ports that are not allowed but anti-portscan has a different meaning. I think that port scan should be available with anti-dos engine. Sachin, can you find out and reply here back. UTM9 has portscan feature besides implicit deny from firewall module.

We will appreciate it!

Regards

sachingurung said:

By default XG will drop such traffic, unless the ports are explicitly allowed through the device access option.

Luk is right, anti portscan means that when a portscan is detected, even open ports are hidden from the scanning software. This has been available in UTM since v5 I believe. Very nice feature.

sachingurung 

can you make sure that Anti-port scan will be added on XG soon?

Honestly we do not need to open a feature request for this basic feature. [:#][:#][:#]

Anti-port scan is like having NAT on a router!

Thanks

Hi Luk,

Anti Port Scan is available in XG. I have initiated a communication with other internal teams to discover other details over it. I will update this thread once I receive any information further.

Thanks

sachingurung said:

Hi Luk,

Anti Port Scan is available in XG. I have initiated a communication with other internal teams to discover other details over it. I will update this thread once I receive any information further.

Thanks

 

We are looking forward to hearing from you!

We need an answer ASAP.

Thanks

sachingurung, 

do you have any update on this from internal team? This is very important for selling and installation phases.

Thanks

Hi Luk,

After a bit of research, I have discovered IP Flood option inside IPS > DoS Attack. I think it is related to the Anti Port Scan feature but, we don’t find any way to configure any value or even an option to simply enable or disable it. I have initiated a request to the developers to know about the use of this feature and how to enable and configure it? Also, is it associated to the Anti Port Scan feature as I  think!

Why? because, according to the UTM 9 HELP doc; Port Scan is something that is detected and countered on the basis of the Source address. "portscans from the same source address can be blocked automatically. Please note that the portscan detection is limited to Internet interfaces, i.e. interfaces with a default gateway.

Technically speaking, a portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded”

Awaiting response from the developers.

Hi Sachin Gurung!

Do you have any update?

Thanks

Alexander

 Hi Alexander,

Thanks for bringing this up. I have reinitiated a conversation internally, will get back to you shortly.

Thanks

sachingurung do you have any update on this question?

This is very important.

Thanks