Configuring Network scanning protection

Network scanning is a method of discovering vulnerable nodes in a network by accessing different ports of different hosts. Security experts can use this method as a tool to find weak spots in the IT infrastructure, as well as by attackers at the preparatory stage of an attack to obtain information about the target host. For example, to get in, attackers can use vulnerabilities in externally accessible network services or in the operating system of a device.

Network scanning protection is independent of security profiles and is enabled globally for all transit user traffic.

Network scanning protection is applied before matching traffic against security rules.

Kaspersky NGFW processes traffic, generates and sends custom events in accordance with the settings.

There are separate settings for two types of attacks:

To enable Network scanning protection:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
  2. Select the Objects tab, then select Security profiles → IDPS.
  3. Select the Network scanning protection tab and enable the Status toggle switch.
  4. Select the action to be applied to sessions if network scanning is detected:
    • Allow to disable traffic analysis for possible attacks involving network scanning. All traffic is allowed without being analyzed for network scanning.
    • Block to block session creation if a network scanning attack is detected.
  5. If necessary, enable logging of security events. If logging is enabled, when network scanning is detected and an action is triggered, an event is written to the IDPS security event log in the SIEM system.
  6. If necessary, enable the Event rate limiter toggle switch and specify the event sending interval in seconds. If the toggle switch is disabled, a security event is sent to the SIEM system for every alert received from the IDPS security engine. If the switch is enabled, a single security event is sent to the SIEM system for the first alert that occurs within the specified time interval. The default is 1 (1 second).
  7. Enable packet capture if necessary.
  8. Apply the OSMP policy changes by clicking the Commit and push button.

Network scanning protection is enabled for all traffic.

Page top