I have been trying to stop our ports from showing as open on nmap as we have a very important scan happening soon. They are not open...
So I tweaked my ZoneProtection policy to make sure that RED is applied and lowered the alert threshold to a low level and even loweed the 'activate' to a really low level, and commited. Re ran nmap scan and the the same result is happening.
What ever I do I still get the same result. I have recon protection set to interval 2 and threashold 2 with the action of block-ip for 2 mins and still nmap shows the ports as open.
What am I missing?

RED is to protect against SYN floods, not scans You'd need to create security policies to drop these ports: you may currently have rules accepting "any" service, or applications with dynamic ports
So would that be an untrust block then?
look here...
Correct, the scan takes a while to kick in while a blocked port just drops the connection altogether, depends on your needs
I just need to stop us from showing open ports and I just cannot get it done 😥
Create specific rules for all the services that need to come in, then set a drop rule for everything else (untrust to untrust, also untrust to dmz) , and set inbound NAT rules to specific ports only
Did you get it to work as expected?
Sadly not as we discussed. Still getting open ports.
I reproduced your issue in my lab to make sure I wasn't going insane, so here's what I needed to do to get my firewall go stealthy: - I created an untrust to untrust drop rule with services set to "any" (app-default will allow trickle) - set zone protection to RED as syn cookies return a cookie that the client could identify as an open port These did the trick
would this be at the top of the policies and would it not affect any services and thanks for lab'ing
You will need to check 2 things before adding this at the top - anything terminating from the internet on that IP needs to be allowed (GP, ipsec tunnels) - some NAT rules may redirect incoming connections to an internal servers, those ports will be open unless you add the recon protection aspect of ZP
Also any service routes attached to the external interface ;)