Attackers frequently look for open ports as starting points to launch network attacks. A port space probe is TCP or UDP traffic that is sent to a range of ports. These ports can be in sequence or random, from 0 to 65535. An address space probe is TCP or UDP traffic that is sent to a range of network addresses. Port space probes examine a computer to find the services that it uses. Address space probes examine a network to see which network devices are on that network.
For more information about ports, see About Ports.
An address space probe is identified when a computer sends a specified number of packets to different IP addresses assigned to an XTM device interface. To identify a port space probe, your XTM device counts the number of packets sent from one IP address to any XTM device interface IP address. The addresses can include the primary IP addresses and any secondary IP addresses configured on the interface. If the number of packets sent to different IP addresses or destination ports in one second is larger than the number you select, the source IP address is added to the Blocked Sites list.
When the Block Port Space Probes and Block Address Space Probes check boxes are selected, all incoming traffic on all interfaces is examined by the XTM device. You cannot disable these features for specified IP addresses, specified XTM device interfaces, or different time periods.
The default configuration of the XTM device blocks network probes. You can use
To block attackers more quickly, you can set the threshold for the maximum allowed number of address or port probes per second to a lower value. If the number is set too low, the XTM device could also deny legitimate network traffic . You are less likely to block legitimate network traffic if you use a higher number, but the XTM device must send TCP reset packets for each connection it drops. This uses bandwidth and resources on the XTM device and provides the attacker with information about your firewall.
About Default Packet Handling Options