Port scanning from trusted to external: exclude from monitoring

Roberto

I have a branch office with an XTM21 (but this could also happen with newer models) where PCs are randomly put in blocked sites list with reason "Port scanning".
It happens rarely (say once every couple of months), so it's really hard to track.
I suspect that this has something to do with a printer monitoring software or something similar, but I can't tell for sure.
I also tried to run a packet capturing tool, but due to the randomness of the issue I've not been able to identify the process that is causing this.

It would be fine for me to disable port scanning checks for traffic that originates from the trusted network, while I would like to keep in place checks for traffic from external.

Is there a way to do this? The only setting I found for port scan is in "Default packet handling" and seems to be related to every kind of traffic.

Thank you!

james.carson

Hi @Roberto

I'd suggest just adding your internal subnet(s) to the blocked sites exception list. On some older versions of Fireware, internal clients can be added to the blocked sites list for default threat protection rule hits (usually port scanning.)

See:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/blocked_sites_create_exceptions_c.html