Sophos XG SFOS 16.01 - Anti-Portscan?

Greetings all,

I'm currently using the home version of Sophos XG and was wondering if there is a way to block port scans? I know that UTM has the ability for anti-portscans, but does XG have this capability as well?





  • In reply to Billybob:

    Here is a KB about how portscan actually works in UTM 7 and 8Surprise Looks like the mechanism is a little smarter than I thought. It weighs different connection attempts and then blocks the connection after a certain threshold. 

    A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The detection score is calculated as follows:
    Scan of a TCP destination port less than 1024: 3 points
    Scan of a TCP destination port greater or equal 1024: 1 point
    Scan of ports 11, 12, 13, 2000: 10 points

    Here are the portscan rules in UTM9 for example but multiple rules are combined to achieve what is mentioned in the KB article above.

    gatekeeper:/home/login # iptables -L PSD_ACTION -v
    Chain PSD_ACTION (1 references)
    pkts bytes target prot opt in out source destination
    0 0 NFLOG all -- any any anywhere anywhere limit: avg 5/sec burst 5 LOGMARK match 60017 nflog-prefix "PORTSCAN: "
    0 0 DROP all -- any any anywhere anywhere

    gatekeeper:/home/login # iptables -L PSD_MATCH -v
    Chain PSD_MATCH (2 references)
    pkts bytes target prot opt in out source destination
    0 0 PSD_ACTION all -- eth1 any anywhere anywhere -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1

  • FormerMember

    In reply to Billybob:

    Is portscan detection planned for v17?

  • In reply to FormerMember:

    I guess it is planned somewhere later v17.  V17 souls now be ready or almost. Feature request is not even considered or planned on the ideas website.


  • FormerMember

    In reply to lferrara:

    Isn't this a big security vulnerability?

  • In reply to FormerMember:


    it is not a security vulnerability but is one security countermeasure missing.

    Vulnerability has a different meaning!

    I was shocked too when I discovered that Anti-port scan was missing update since then!

    And the other strange thing is that users discovered this missing feature...even in Sophos they forgot to add it!

  • Hi Mike,

    The feature is not considered yet , to promote this feature I would encourage you to add a Vote to this feature to make it available for the future release. 

  • In reply to Aditya Patel:

    Hi aditya and thanks for the reply. As  mentioned earlier in the thread, a feature request for such a basic feature is like requesting NAT on a router. I think there needs to be a feature request to bring all the basic UTM features into XG. Everyone will vote for it and  I think it will cover most of the feature requests pending for XG Big Smile

  • FormerMember

    In reply to Billybob:



    is it a big problem for security not to have anti portscan?

    I think so, what do you think about?


    Regards Meghan

  • In reply to FormerMember:

    Meghan is another of the puzzle missing. More layers you have, more safe you have. So XG is missing another piece....however relying on one product to achieve security is absolutely wrong! A bug mistake that many security admins do.

  • FormerMember

    In reply to lferrara:

    Hi Luk,


    it's true, but I don't have so much experience.

    What for a security principe do you recommend, so wich software/hardware products do you use/recommend for one network with no servers, only clients?


    Regards Meghan

  • In reply to FormerMember:

    Meghan if you have only clients, is firewall should be turned on with no exceptions because connections start from clients to servers and not viceversa. Close all the ports and you will be safe from external attacks. Having Windows Firewall on even on computers will prevent malware from jumping from one computer to another because ports are closed.

    The story is long. Enroll a Security Architect if you need advanced security advices. Send me a PM if you need and we can arrange something!

  • In reply to lferrara:

    I thought I would revive this thread, seems to have been dormant for a while now!

    I think this is a require counter measure, in the arena of security, so admins can tell if there are any potential probes being performed.

    Also as a UTM user, this is essential when there is a server out on the 'wild internet', it is invaluable for information about who is trying to interrogate your server.

    I have just voted for this feature, as it is a requirement for our arsenal of tools available for these pesky .... (ooh i feel like I am on scooby

  • In reply to JasonFell:

    Many updates later and still not included...sigh.