path: Policy - Advanced Correlation


Imagine you want to block port scanners by dropping their connection attempts. As a kind of Reconnaissance Protection, we can track and block a port scan based on IP-port combinations for a specific period. We focus on client (source) IP and server (destination) port.

To implement this, we use Advanced Correlation Scenarios. Doing so, we'll configure one Event Tracking Table, one Dynamic Network Object and three Rules.

Creating an Advanced Correlation Scenario

Inside the WebGUI go to: Policy, Advanced Correlation.

Press the ADD button, fill in a name and an optional note for this Advanced Correlation scenario & SAVE it.

Adding an Event Tracking Table

Save and go into the newly created scenario and change to the Event Tracking Tables tab and click the ADD button.

In our scenario, we are using this Event Tracking Table (buffer) to track at most 1000 IP addresses with 101 ports each. That means, we might end up with a data structure with 101000 entries in total.

Assign a Name and set:

  •  Retention Time for Event Tracking  to 60 seconds as we want to track all connections within a 60s window
  •  Primary Attribute Type  to "IP Address" with  Maximum Number of Primary Attributes  to "1000"
  •  Secondary Attribute Type  to "Layer 4 port" and  Maximum Number of Secondary Attributes per Primary One  to "101".

Later we'll need a data structure where we can store the IPs that we want to block. As blocking shall not last forever, we have to have IP individual timeouts. Dynamic Network Objects (DNO) are the right once for this job.

DNOs  can be understood as dynamic IP lists. You can create rules, that add or remove or just check whether or not an IP is on the list. Furthermore, IPs can be automatically removed from that list, timeout based.

Adding a Dynamic Network Object

You can configure DNOs per Advanced Correlation Scenario (locally) or globally.

For our Scenario, we'll go with a local (means within) DNO. Choose Dynamic Network Objects tab and click the ADD button.

Assign a Name and set:

  •  Network  to "External"
  •  Size  to "1000" (IPs) and its  Timeout  to "3600" (60 x 60s = 1hr).

To actually put "IP – Port" combinations to the Event Tracking Table and IP's to the Dynamic Network Object, we need to create rules.

Adding the Rules

Now we are prepared to create the rules for gathering, identifying and at least blocking these clients from the network traffic.

1. Putting the "Source IP – Destination Port" combination into our Event Tracking Table

Traffic is evaluated against rules. Thus, we need to set the right combination of conditions and actions,

Go to Rules and click the ADD button.

Assign a Name like "Detect TCP Connections" to the rule and set:

  • Source & Destination:
    • Source Networks "Any"
    • Destination Networks "Any"

  • Conditions section:
    • Layer 4 Protocol: "Transmission Control (6 TCP)".
      This adds a condition that checks the Protocol field in an IPv4 header to be 6 for TCP

  • Actions:
    • Enable  Add to Event Tracking Table  and set:
      • Event Tracking Table: use our "Ports Per Host"
      • Primary Attribute: "Client Address"
      • Secondary Attribute of Event: "Server Layer 4 port"


Store our first rule with SAVE.

Now we have a rule that puts all IP-Port combinations into our Event Tracking Table.

The next step is to count the ports per IP in that Event Tracking Table and put those into a Dynamic Network Object that have more than 100 entries aka connections to ports.

2. Count and identify these IP's

Push ADD to create the next rule.

Assign a Name like "Detect Port Scanners" and:

  • For there are at least 100 similar events within our Event Tracking Table
  • we wanna add these Clients to our DNO "Hosts to block"

Store this rule with SAVE.

At this point, we've added a rule for putting all new TCP connections' client IP and server port into a Event Tracking Table and a rule to put those IP's into a DNO,

that have had more than 100 entries in the ETT, thus more than 100 TCP connections within a minute.

Finally we need a rule that does something with the IPs in the DNO. This is pretty simple.

3. Block the identified Port Scanners

ADD another rule.

Assign a Name like "Handle DNO Entries" and set the  Source Networks  to our D:ynamic Network Object "Hosts to Block", as we want to block traffic from hosts on that list.

and set  Final Action  to "Drop Traffic and Stop Processing" (for this rule). For debugging purposes enable the  Log Action as well.

SAVE the final rule.

You may ask yourself what's the difference between "Drop" and "Reject"? Dropping traffic does not care about the sender, thus it impolitely throws away the packets whereas Reject politely informs all parties with a TCP reset (if possible).

Make sure, all rules and the Correlation Scenario itself is enabled & we're done – Port scanner will be blocked.

Your network is safe again.