Sophos XG SFOS 16.01 - Anti-Portscan?

Greetings all,

I'm currently using the home version of Sophos XG and was wondering if there is a way to block port scans? I know that UTM has the ability for anti-portscans, but does XG have this capability as well?

 

Thanks.

 

Mike 

  • Mike,

    as I know port-scan can be blocked using IPS signatures. Maybe they will add it soon.

    Let's see if or have an idea.

    Good question! Thanks

  • Hi Luk and Mike,

    Take a look at my guide here. Now, start a port scan on XG and take a drop packet capture. You can see a denied log id=0103021, check the system log format attached to my guide. This is the denied entry for appliance access.

    By default, XG will drop such traffic unless the ports are explicitly allowed through the device access option.

    Hope that helps :)

  • In reply to sachingurung:

    Thanks Sachin.

    Anti-port scan requires an additional module so the system knows when an attacker is trying to find open ports and so block the attacker to go ahead. We know that XG blocks ports that are not allowed but anti-portscan has a different meaning. I think that port scan should be available with anti-dos engine. Sachin, can you find out and reply here back. UTM9 has portscan feature besides implicit deny from firewall module.

    We will appreciate it!

    Regards

  • In reply to sachingurung:

    sachingurung

    By default XG will drop such traffic, unless the ports are explicitly allowed through the device access option.

    Luk is right, anti portscan means that when a portscan is detected, even open ports are hidden from the scanning software. This has been available in UTM since v5 I believe. Very nice feature.

  • In reply to sachingurung:

     

    can you make sure that Anti-port scan will be added on XG soon?

    Honestly we do not need to open a feature request for this basic feature. Zip it!Zip it!Zip it!

    Anti-port scan is like having NAT on a router!

    Thanks

  • In reply to lferrara:

    Hi Luk,

    Anti Port Scan is available in XG. I have initiated a communication with other internal teams to discover other details over it. I will update this thread once I receive any information further.

    Thanks

  • In reply to sachingurung:

    sachingurung

    Hi Luk,

    Anti Port Scan is available in XG. I have initiated a communication with other internal teams to discover other details over it. I will update this thread once I receive any information further.

    Thanks

     

    We are looking forward to hearing from you!

    We need an answer ASAP.

    Thanks

  • In reply to lferrara:

    do you have any update on this from internal team? This is very important for selling and installation phases.

    Thanks

  • In reply to lferrara:

    Hi Luk,

    After a bit of research, I have discovered IP Flood option inside IPS > DoS Attack. I think it is related to the Anti Port Scan feature but, we don’t find any way to configure any value or even an option to simply enable or disable it. I have initiated a request to the developers to know about the use of this feature and how to enable and configure it? Also, is it associated to the Anti Port Scan feature as I  think!

    Why? because, according to the UTM 9 HELP doc; Port Scan is something that is detected and countered on the basis of the Source address. "portscans from the same source address can be blocked automatically. Please note that the portscan detection is limited to Internet interfaces, i.e. interfaces with a default gateway.


    Technically speaking, a portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded”

    Awaiting response from the developers.

  • In reply to sachingurung:

    Hi Sachin Gurung!

    Do you have any update?

    Thanks

    Alexander

  • In reply to Alexander Bondar:

     Hi Alexander,

    Thanks for bringing this up. I have reinitiated a conversation internally, will get back to you shortly.

    Thanks

  • In reply to sachingurung:

    do you have any update on this question?

    This is very important.

    Thanks

  • In reply to lferrara:

    Anti Port Scan is not available in the XG firewall. After a long discussion with the Dev. Team, SFOS supports packet based DoS protection. We are enhancing it further to do connection based DoS protection. Please raise it as a feature request on Sophos Ideas and cast your votes. I have personally initiated a request internally.

    Thank you

  • In reply to sachingurung:

    Unbelievable!

    XG does not have an anti-port scan feature. Guys is a NGFW.

    Angry

    http://ideas.sophos.com/forums/330219-xg-firewall/suggestions/19243372-anti-portscan

    Vote please!

  • In reply to lferrara:

    This is what is so frustrating about XG. They work on items that look good on paper but basic items that you would expect from NGFW are missing.

    It's really irritating when astaro has been doing this stuff for years and yet Sophos completely ignores to even try to bring basic UTM9 functions to XG.