Port Scanning

Genian ZTNA can detect port scanning run in a variety of ways. The Network Sensor monitors the network traffic flow to check the access event of ports. If a port scan is run to find a virtual IP address in order to exploit a known vulnerability, Genian ZTNA suspends the Port Scan and designates the Node as a critical one. In addition, if the ports are scanned more than the specified value within a period of time, then designated as a critical Node.

Configure Settings for Port Scanning in Anomaly Definition

1. Go to Policy in the top panel.
2. Go to Policy > Node Policy > Anomaly Definition in the left Policy panel.
3. Click Port Scan.
4. Find Anomaly Event section to configure more options.
   • For Event Duration, optional setting to specify how long the port scan is run:
   • For Number of Allowable Ports, optional setting to specify the threshold to trigger the anomaly detection.
   • For Attribute to Match, optional setting to find a Node running the port scan.
5. Click Update.

Create Node Group For Port Scan Run

1. Go to Policy in the top panel.
2. Go to Policy > Group > Node in the left Policy panel.
3. Click on Tasks > Create
4. For ID: Port Scan Run.
5. For Status: Enabled.
6. For Boolean Operator select OR.
7. Find and click on Add in Condition section.
8. For each Anomaly you want to add use the followings:
   • Options: Anomaly
   • Operator: Detected is one of
   • Value: Port Scanning
9. Click Add.
10. Keep adding Conditions as needed.
11. Click Save.