Configure Scanning Threat Detection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 18
Threat Detection
The rate-interval keyword sets the size of the history monitoring window, between 1 and 1440 minutes.
The default is 30 minutes. During this interval, the ASA samples the number of attacks 30 times.
The burst-rate keyword sets the threshold for syslog message generation, between 25 and 2147483647.
The default is 400 per second. When the burst rate is exceeded, syslog message 733104 is generated.
The average-rate keyword sets the average rate threshold for syslog message generation, between 25
and 2147483647. The default is 200 per second. When the average rate is exceeded, syslog message
733105 is generated.
Note
Configure Scanning Threat Detection
You can configure scanning threat detection to identify attackers and optionally shun them.
Procedure
Enable scanning threat detection.
Step 1
threat-detection scanning-threat [shun [except {ip-address ip_address mask | object-group
network_object_group_id}]]
Example:
hostname(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0
255.255.255.0
By default, the system log message 733101 is generated when a host is identified as an attacker. Enter
this command multiple times to identify multiple IP addresses or network object groups to exempt from
shunning.
(Optional) Set the duration of the shun for attacking hosts.
Step 2
threat-detection scanning-threat shun duration seconds
Example:
hostname(config)# threat-detection scanning-threat shun duration 2000
(Optional) Change the default event limit for when the ASA identifies a host as an attacker or as a target.
Step 3
threat-detection rate scanning-threat rate-interval rate_interval average-rate av_rate
burst-rate burst_rate
Example:
hostname(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10
burst-rate 20
hostname(config)# threat-detection rate scanning-threat rate-interval 2400 average-rate 10
burst-rate 20
This command is available in multiple context mode, unlike the other threat-detection
commands.
Cisco ASA Series Firewall CLI Configuration Guide
Configure Threat Detection
18-7
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
