Skip to content
Documentation
Risk Scoring
Floors & Penalties

Floors & Penalties

After the four factors are summed into a raw score, three post-processing mechanisms can raise the score further. These enforce minimum severity levels for dangerous patterns and add penalties for risky configurations. They are applied in the order listed below.

flowchart TD A[Raw Score] --> B{Zone Policy Floor?} B -- Deny → min 51 --> C B -- Review → min 26 --> C B -- No floor --> C C{Plaintext Protocol?} C -- Yes → enforce min 26 --> D[Apply +10 Penalty] C -- No --> E D --> E{Any-Any Combo?} E -- Yes --> F[Apply Any-Any Floor] E -- No --> G[Final Score] F --> G

1. Zone Policy floors

When a zone matrix is active, the zone-to-zone policy can enforce a minimum final score:

Zone PolicyFloorEffect
Deny51Forces at least a High rating
Review26Forces at least a Medium rating
Allow-No floor applied

If the raw score already exceeds the floor, it passes through unchanged. These floors only apply when a zone matrix is active.

2. Plaintext protocol floor and penalty

Flows that include unencrypted protocols receive both a floor and an additive penalty. This mechanism triggers when any of the following ports appear in the flow:

PortService
20FTP Data
21FTP
23Telnet
69TFTP
80HTTP
110POP3
143IMAP
161SNMP
162SNMP Trap
389LDAP
512rexec
513rlogin
514rsh / Syslog

When triggered:

  • Floor: The score is raised to at least 26 (Medium) if it was lower.
  • Penalty: +10 points are added on top of the current score. This penalty always applies, even if the score was already above the floor.

For example, a flow with a raw score of 15 that includes port 80 (HTTP) would first be raised to 26 (floor), then increased to 36 (penalty).

3. Any-Any combo floors

The most aggressive floor kicks in when both source and destination are 0.0.0.0/0 (any-to-any). The floor depends on how specific the port and protocol are:

ConditionFloor
Any port + any protocol100
Any port OR any protocol (but not both)92
Specific port + specific protocol88

An any-to-any flow with any port and any protocol receives the maximum possible score of 100 (Critical). Even with a specific service, the floor of 88 ensures these flows are always rated Critical.

Processing order

The three mechanisms are applied in sequence. A later floor can override an earlier one if it produces a higher value:

  1. Zone Policy floor raises the score if needed.
  2. Plaintext floor raises the score if needed, then the +10 penalty is added.
  3. Any-Any floor raises the score if needed.

The result after all three stages is the final score used for labeling and display.

Zone PolicyThresholds