Port Scanning
=============

Genian NAC can detect port scanning run in a variety of ways. The Network
Sensor monitors the network traffic flow to check the access event of ports. If
a port scan is run to find a virtual IP address in order to exploit a known
vulnerability, Genian NAC suspends the Port Scan and designates the Node as a
critical one. In addition, if the ports are scanned more than the specified
value within a period of time, then designated as a critical Node.


Configure Settings for Port Scanning in Anomaly Definition
----------------------------------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Node Policy > Anomaly Definition** in the left Policy
   panel.
#. Click **Port Scan.**
#. Find **Anomaly Event** section to configure more options.

   - For **Event Duration**, optional setting to specify how long the port scan
     is run:
   - For **Number of Allowable Ports**, optional setting to specify the
     threshold to trigger the anomaly detection.
   - For **Attribute to Match**, optional setting to find a Node running the
     port scan.

#. Click **Update.**

Create Node Group For Port Scan Run
-----------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Group > Node** in the left Policy panel.
#. Click on **Tasks > Create**
#. For **ID:** Port Scan Run.
#. For **Status:** Enabled.
#. For **Boolean Operator**  select **OR.**
#. Find and click on **Add** in **Condition** section.
#. For each **Anomaly** you want to add use the followings:

   - **Options:** Anomaly
   - **Operator:** Detected is one of
   - **Value:** Port Scanning

#. Click **Add.**
#. Keep adding **Conditions** as needed.
#. Click **Save.**