Locate the first log entry for the Port Scan detection and highlight it. Look at the details to determine the remote IP and local ports associated with the detection, taking note if they are UDP or TCP. Write these down and locate a second log entry for Port Scan Detection. Verify the IP and if it is different write it down. Write down any ports that were not listed previously. Locate a third log entry and repeat the steps to ensure you have a good sample of the ports and/or IPs involved.
Determine the identity of the remote IP. If the machine is unknown it should be located and assessed for any security risk. If the remote IP is deemed safe, use the following steps to remediate the port scan detection:
Set the Hosts option to IP addresses and input the remote IP(s).
Change protocol to TCP or UDP to match what was recorded from the log and enter the list of Local ports, separating each port with a comma and space.
Save the rule.
SEPM Console > Policies > Firewall > Firewall policy (The one used by the affected client(s)) > Edit the policy > Rules
Click Add Blank Rule to create a new firewall rule.
Double-click the name (Rule 0) and rename it similar to Fix Port Scan.
Double-click the Host column, set the mode Local/Remote and enter the remote IP(s), then click OK.
Double-click the Service column and Check off the services matching the identified ports, or add a custom port list, setting the protocol to TCP or UDP to match what was recorded from the log, with the local ports separated by commas (no spaces), then click OK to return to the rules. Note: The custom list will have no Service Name, but it will be checked upon creation.
Click OK to save the policy changes.
Note: Do not enter anything into the local IP or the remote ports. This can break the rule.
For a managed client, update the policy and ensure it matches the new policy serial number of its group in the manager. Unmanaged clients will put new rules into effect immediately.
Imported Document ID: TECH226408
Subscribing will provide email updates when this Article is updated. Login is required.