Cisco Cisco Firepower Management Center 4000

See the following sections for more information:

Protection

The portscan detection configuration options allow you to finely tune how the portscan detector reports 
scan activity.

Note that when portscan detection is enabled, you must enable rules on the Rules page with generator 
ID (GID) 122 for enabled portscan types for the portscan detector to generate portscan events. See 

 and the 

 table for more information.

Admin/Intrusion Admin

Select 

The Intrusion Policy page appears.

Click the edit icon (

) next to the policy you want to edit.

If you have unsaved changes in another policy, click 

 to discard those changes and continue. See 

 for information on saving unsaved changes in another 

policy.

The Policy Information page appears.

Click 

 in the navigation panel on the left.

Low

Detects only negative responses from targeted hosts. Select this sensitivity 
level to suppress false positives, but keep in mind that some types of 
portscans (slow scans, filtered scans) might be missed.

This level uses the shortest time window for portscan detection.

Medium

Detects portscans based on the number of connections to a host, which 
means that you can detect filtered portscans. However, very active hosts such 
as network address translators and proxies may generate false positives. 

Note that you can add the IP addresses of these active hosts to the Ignore 
Scanned field to mitigate this type of false positive.

This level uses a longer time window for portscan detection.

High

Detects portscans based on a time window, which means that you can detect 
time-based portscans. However, if you use this option, you should be careful 
to tune the detector over time by specifying IP addresses in the Ignore 
Scanned and Ignore Scanner fields.

This level uses a much longer time window for portscan detection.