Network Mapper (NMAP) is a network security scanner originally used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, NMAP sends specially crafted packets to the target host and then analyzes the responses. The software provides a number of features for probing computer networks, including host discovery and service and operating system detection.
To block port scans, you need to enable filters 7000 to 7004 and 7016. Please ensure that you read the filter descriptions, as some of them have warnings attached.
Port Scan and Host Sweep Filter Description
The following filters detect and/or block port scans and host sweeps.
- 7000: TCP: Port Scan
- 7001: UDP: Port Scan
- 7002: TCP: Host Sweep
- 7003: UDP: Host Sweep
- 7004: ICMP: Host Sweep
- 7016: ICMPv6: Host Sweep
The scan and sweep filters track the number of port scan and host sweep attempts from a single source IP address. These filters have threshold values that can be configured per Security Profile and per filter. The filter becomes active when the number of connection attempts from a source IP address exceeds the threshold. Host scans and port sweeps are blocked through the Quarantine feature. Scan and sweep filters only look at connections from traffic that undergo inspection.
These filters ignore the following types of traffic:
- blocked or trusted by a Traffic Management Filter
- trusted flow due to Trust as an Action
- blocked or trusted by IP Reputation
- matches an inspection-bypass rule