Guidelines and limitations for threat detection

  • Threat detection requires Snort 3. The NAP portscan configuration is always ignored for a device running Snort 3; you must configure portscan using threat detection. For Snort 2, you can configure port scan through the NAP policy only. If there are Snort 2 devices assigned to the access control policy, the threat detection settings will not be deployed to those unsupported devices.

  • Threat detection requires Snort 3. The managed device must be at version 7.2 or higher. For Snort 2, or devices at versions lower than 7.2, you can configure port scan through the NAP policy. Note that the threat detection feature is not the same as the port scan feature in the NAP policy. If there are non-Snort 3/version 7.2+ devices assigned to the access control policy, the threat detection settings will not be deployed to those unsupported devices.

  • If you configure port scan in the NAP policy on a device running 7.1 or lower, that configuration is not translated to the threat detection feature on upgrade to 7.2. You must manually configure threat detection. Although the NAP and threat detection portscan options are similar, they do not match one-to-one.

  • If you configure threat detection, any port scan configuration in the NAP policy is ignored and not configured on the devices that support threat detection.

  • The NAP port scan feature for Snort 3 is always ignored for version 7.2+ devices. To configure port scanning, you must use the threat defense settings.

  • Threat detection works on traffic that passes through the device only. It does not work on traffic directed to the device.

  • In a high availability setup, port scanning statistics are not synchronized to the standby unit. However, blocked hosts are synchronized and continue to be blocked until the duration period expires in case of a failover.

  • (Devices running Threat Defense versions 7.2-7.7). For nodes in a cluster, detection and prevention happen on the individual cluster node. That is, if node B detects and blocks traffic from a host, node A will not be aware of that action because port scan statistics are not synchronized across cluster nodes.

  • (Devices running Threat Defense version 10.0+). For nodes in a cluster, detection and prevention happen at the cluster level. Portscans can be detected when they happen across nodes or in an individual node. Shunned hosts are shunned on all devices in the cluster. Shuns are released at the same time on all nodes. Statistics are available at the cluster level.

  • For inline sets, or for interfaces that are configured to be part of an equal-cost multipath (ECMP) traffic zone, detection and prevention are done at the zone level. Portscan statistics for a host are accumulated across all interfaces of a zone. Similarly, when a host crosses configured thresholds, it is blocked across all interfaces of the corresponding zone.

  • Although the portscan events generated by the threat detection feature are the same as the ones Snort issues for port scan, you do not need to enable port scanning intrusion rules to get the events. Threat detection works regardless of your intrusion policy implementation.