Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 621

    Page 621 27-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection, page 27-11 Information About Scanning Threat Detection A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a... 
     
27-9
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 27      Configuring Threat Detection
  Configuring Scanning Threat Detection
Feature History for Scanning Threat Detection, page 27-11
Information About Scanning Threat Detection
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by 
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The 
scanning threat detection feature determines when a...

    Page 622

    Page 622 27-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Default Settings Table 27-4 lists the default rate limits for scanning threat detection. The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval is 1/30th of the rate interval or 10 seconds, whichever is larger. Configuring Scanning Threat Detection Detailed Steps Step 1Choose the... 
     
27-10
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 27      Configuring Threat Detection
  Configuring Scanning Threat Detection
Default Settings
Table 27-4 lists the default rate limits for scanning threat detection.
The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The 
burst rate interval is 1/30th of the rate interval or 10 seconds, whichever is larger.
Configuring Scanning Threat Detection
Detailed Steps
Step 1Choose the...

    Page 623

    Page 623 27-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection Table 27-5 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 27-5 Feature History for Scanning Threat Detection Feature NamePlatform Releases... 
     
27-11
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 27      Configuring Threat Detection
  Configuring Scanning Threat Detection
Feature History for Scanning Threat Detection
Table 27-5 lists each feature change and the platform release in which it was implemented. ASDM is 
backwards-compatible with multiple platform releases, so the specific ASDM release in which support 
was added is not listed.
Table 27-5 Feature History for Scanning Threat Detection
Feature NamePlatform 
Releases...

    Page 624

    Page 624 27-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection 
     
27-12
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 27      Configuring Threat Detection
  Configuring Scanning Threat Detection

    Page 625

    Page 625 CH A P T E R 28-1 Cisco ASA Series Firewall ASDM Configuration Guide 28 Using Protection Tools This chapter describes some of the many tools available to protect your network and includes the following sections: Preventing IP Spoofing, page 28-1 Configuring the Fragment Size, page 28-2 Configuring TCP Options, page 28-3 Configuring IP Audit for Basic IPS Support, page 28-5 Preventing IP Spoofing This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against... 
    CH A P T E R
 
28-1
Cisco ASA Series Firewall ASDM Configuration Guide
 
28
Using Protection Tools
This chapter describes some of the many tools available to protect your network and includes the 
following sections:
Preventing IP Spoofing, page 28-1
Configuring the Fragment Size, page 28-2
Configuring TCP Options, page 28-3
Configuring IP Audit for Basic IPS Support, page 28-5
Preventing IP Spoofing
This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards 
against...

    Page 626

    Page 626 28-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring the Fragment Size Anti-Spoofing Enabled—Shows whether an interface has Unicast RPF enabled, Yes or No. Enable—Enables Unicast RPF for the selected interface. Disable—Disables Unicast RPF for the selected interface. Configuring the Fragment Size By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your... 
     
28-2
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 28      Using Protection Tools
  Configuring the Fragment Size
Anti-Spoofing Enabled—Shows whether an interface has Unicast RPF enabled, Yes or No.
Enable—Enables Unicast RPF for the selected interface.
Disable—Disables Unicast RPF for the selected interface.
Configuring the Fragment Size
By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting 
reassembly. You might need to let fragments on your...

    Page 627

    Page 627 28-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring TCP Options Timeout—Display only. Displays the number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds displayed, all fragments of the packet that were already received will be discarded. The default is 5 seconds. Threshold—Display only. Displays... 
     
28-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 28      Using Protection Tools
  Configuring TCP Options
Timeout—Display only. Displays the number of seconds to wait for an entire fragmented packet to 
arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do 
not arrive by the number of seconds displayed, all fragments of the packet that were already received 
will be discarded. The default is 5 seconds.
Threshold—Display only. Displays...

    Page 628

    Page 628 28-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring TCP Options alters the packet to request 1200 bytes. See the “Controlling Fragmentation with the Maximum Transmission Unit and TCP Maximum Segment Size” section on page 11-8 for more information. –Force Minimum Segment Size for TCP—Overrides the maximum segment size to be no less than the number of bytes you set, between 48 and any maximum number. This feature is disabled by default (set... 
     
28-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 28      Using Protection Tools
  Configuring TCP Options
alters the packet to request 1200 bytes. See the “Controlling Fragmentation with the Maximum 
Transmission Unit and TCP Maximum Segment Size” section on page 11-8 for more 
information.
–Force Minimum Segment Size for TCP—Overrides the maximum segment size to be no less 
than the number of bytes you set, between 48 and any maximum number. This feature is 
disabled by default (set...

    Page 629

    Page 629 28-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that matches a signature. This section includes the following topics: IP Audit Policy, page 28-5 Add/Edit IP Audit... 
     
28-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 28      Using Protection Tools
  Configuring IP Audit for Basic IPS Support
Configuring IP Audit for Basic IPS Support
The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports 
a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that 
matches a signature.
This section includes the following topics:
IP Audit Policy, page 28-5
Add/Edit IP Audit...

    Page 630

    Page 630 28-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Fields Policy Name—Sets the IP audit policy name. You cannot edit the name after you add it. Policy Type—Sets the policy type. You cannot edit the policy type after you add it. –Attack—Sets the policy type as attack. –Information—Sets the policy type as informational. Action—Sets one or more actions to take when a packet matches a signature. If you do not choose... 
     
28-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 28      Using Protection Tools
  Configuring IP Audit for Basic IPS Support
Fields
Policy Name—Sets the IP audit policy name. You cannot edit the name after you add it.
Policy Type—Sets the policy type. You cannot edit the policy type after you add it.
–Attack—Sets the policy type as attack.
–Information—Sets the policy type as informational.
Action—Sets one or more actions to take when a packet matches a signature. If you do not choose...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals