Cisco
Login
Search
Software Secure Firewall Threat Defense
Platform Secure Firewall Threat Defense Virtual
Activity Onboard

Advanced Network Analysis and Preprocessing Specific Threat Detection Portscan Detection Configuring Portscan Detection

Last updated: Jul 29, 2025

Configuring Portscan Detection


 

This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

The portscan detection configuration options allow you to finely tune how the portscan detector reports scan activity.

Procedure

1

Choose Policies > Access Control heading > Access Control, and then click Network Analysis Policy or Policies > Access Control heading > Intrusion, and then click Network Analysis Policies.


 

If your custom user role limits access to the first path listed here, use the second path to access the policy.
2

Click Snort 2 Version next to the policy you want to edit.

3

Click Edit (edit icon) next to the policy you want to edit.

If View (View button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
4

Click Settings.

5

If Portscan Detection under Specific Threat Detection is disabled, click Enabled.

6

Click Edit (edit icon) next to Portscan Detection.

7

In the Protocol field, specify protocols to enable.


 

You must ensure TCP stream processing is enabled to detect scans over TCP, and that UDP stream processing is enabled to detect scans over UDP.

8

In the Scan Type field, specify portscan types you want to detect.

9

Choose a level from the Sensitivity Level list; see Portscan Types, Protocols, and Filtered Sensitivity Levels.

10

If you want to monitor specific hosts for signs of portscan activity, enter the host IP address in the Watch IP field.

You can specify a single IP address or address block, or a comma-separated lists of either or both. Leave the field blank to watch all network traffic.

11

If you want to ignore hosts as scanners, enter the host IP address in the Ignore Scanners field.

You can specify a single IP address or address block, or a comma-separated lists of either or both.

12

If you want to ignore hosts as targets of a scan, enter the host IP address in the Ignore Scanned field.

You can specify a single IP address or address block, or a comma-separated lists of either or both.


 

Use the Ignore Scanners and Ignore Scanned fields to indicate hosts on your network that are especially active. You may need to modify this list of hosts over time.

13

If you want to discontinue monitoring of sessions picked up in mid-stream, clear the Detect Ack Scans check box.


 

Detection of mid-stream sessions helps to identify ACK scans, but may cause false events, particularly on networks with heavy traffic and dropped packets.

14

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

What to do next

Previous topic Portscan Event Packet View Next topic Rate-Based Attack Prevention