Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
26-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Botnet Traffic Filter Monitor Panes To monitor the Botnet Traffic Filter, see the following panes: Command Purpose Home > Firewall Dashboard Shows the Top Botnet Traffic Filter Hits, which shows reports of the top 10 malware sites, ports, and infected hosts. This report is a snapshot of the data, and may not match the top 10 items since the statistics started to be collected. If you right-click an IP address, you can invoke the whois tool to learn more about the botnet site. Top Malware Sites—Shows top malware sites. Top Malware Ports—Shows top malware ports. Top Infected Hosts—Shows the top infected hosts. Monitoring > Botnet Traffic Filter > Statistics Shows how many connections were classified as whitelist, blacklist, and greylist connections, and how many connections were dropped. (The greylist includes addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist.) The Details button shows how many packets at each threat level were classified or dropped. Monitoring > Botnet Traffic Filter > Real-time ReportsGenerates reports of the top 10 malware sites, ports, and infected hosts monitored. The top 10 malware-sites report includes the number of connections dropped, and the threat level and category of each site. This report is a snapshot of the data, and may not match the top 10 items since the statistics started to be collected. If you right-click a site IP address, you can invoke the whois tool to learn more about the malware site. Reports can be saved as a PDF file. Monitoring > Botnet Traffic Filter > Infected Hosts Generates reports about infected hosts. These reports contain detailed history about infected hosts, showing the correlation between infected hosts, visited malware sites, and malware ports. The Maximum Connections option shows the 20 infected hosts with the most number of connections. The Latest Activity option shows the 20 hosts with the most recent activity. The Highest Threat Level option shows the 20 hosts that connected to the malware sites with the highest threat level. The Subnet option shows up to 20 hosts within the specified subnet. Reports can be saved as a PDF file, as either the Current View or the Whole Buffer. The Whole Buffer option shows all buffered infected-hosts information. Monitoring > Botnet Traffic Filter > Updater ClientShows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. Monitoring > Botnet Traffic Filter > DNS SnoopingShows the Botnet Traffic Filter DNS snooping actual IP addresses and names. All inspected DNS data is included in this output, and not just matching names in the blacklist. DNS data from static entries are not included.
26-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Where to Go Next Where to Go Next To configure the syslog server, see Chapter 92, “Configuring Logging,” in the general operations configuration guide. To block connections with an access rule, see Chapter 7, “Configuring Access Rules.” Feature History for the Botnet Traffic Filter Table 26-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Monitoring > Botnet Traffic Filter > Dynamic DatabaseShows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. Monitoring > Botnet Traffic Filter > ASP Table HitsShows the Botnet Traffic Filter rules that are installed in the accelerated security path. Command Purpose Table 26-1 Feature History for the Botnet Traffic Filter Feature NamePlatform Releases Feature Information Botnet Traffic Filter 8.2(1) This feature was introduced. Automatic blocking, and blacklist category and threat level reporting.8.2(2) The Botnet Traffic Filter now supports automatic blocking of blacklisted traffic based on the threat level. You can also view the category and threat level of malware sites in statistics and reports. The 1 hour timeout for reports for top hosts was removed; there is now no timeout. The following screens were introduced or modified: Configuration > Firewall > Botnet Traffic Filter > Traffic Settings, and Monitoring > Botnet Traffic Filter > Infected Hosts.
CH A P T E R 27-1 Cisco ASA Series Firewall ASDM Configuration Guide 27 Configuring Threat Detection This chapter describes how to configure threat detection statistics and scanning threat detection and includes the following sections: Information About Threat Detection, page 27-1 Licensing Requirements for Threat Detection, page 27-1 Configuring Basic Threat Detection Statistics, page 27-2 Configuring Advanced Threat Detection Statistics, page 27-5 Configuring Scanning Threat Detection, page 27-8 Information About Threat Detection The threat detection feature consists of the following elements: Different levels of statistics gathering for various threats. Threat detection statistics can help you manage threats to your ASA; for example, if you enable scanning threat detection, then viewing statistics can help you analyze the threat. You can configure two types of threat detection statistics: –Basic threat detection statistics—Includes information about attack activity for the system as a whole. Basic threat detection statistics are enabled by default and have no performance impact. –Advanced threat detection statistics—Tracks activity at an object level, so the ASA can report activity for individual hosts, ports, protocols, or ACLs. Advanced threat detection statistics can have a major performance impact, depending on the statistics gathered, so only the ACL statistics are enabled by default. Scanning threat detection, which determines when a host is performing a scan. You can optionally shun any hosts determined to be a scanning threat. Licensing Requirements for Threat Detection The following table shows the licensing requirements for this feature: Model License Requirement All models Base License.
27-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack. This section includes the following topics: Information About Basic Threat Detection Statistics, page 27-2 Guidelines and Limitations, page 27-3 Default Settings, page 27-3 Configuring Basic Threat Detection Statistics, page 27-4 Monitoring Basic Threat Detection Statistics, page 27-4 Feature History for Basic Threat Detection Statistics, page 27-5 Information About Basic Threat Detection Statistics Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events due to the following reasons: Denial by ACLs Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length) Connection limits exceeded (both system-wide resource limits, and limits set in the configuration) DoS attack detected (such as an invalid SPI, Stateful Firewall check failure) Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.) Suspicious ICMP packets detected Packets failed application inspection Interface overload Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (see the “Configuring Scanning Threat Detection” section on page 27-8) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.) Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected When the ASA detects a threat, it immediately sends a system log message (733100). The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst rate interval is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period. Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.
27-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Guidelines and Limitations This section includes the guidelines and limitations for this feature: Security Context Guidelines Supported in single mode only. Multiple mode is not supported. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection. Default Settings Basic threat detection statistics are enabled by default. Table 27-1 lists the default settings. You can view all these default settings using the show running-config all threat-detection command in Tools > Command Line Interface. Table 27-1 Basic Threat Detection Default Settings Packet Drop ReasonTrigger Settings Average Rate Burst Rate DoS attack detected Bad packet format Connection limits exceeded Suspicious ICMP packets detected100 drops/sec over the last 600 seconds.400 drops/sec over the last 20 second period. 80 drops/sec over the last 3600 seconds.320 drops/sec over the last 120 second period. Scanning attack detected 5 drops/sec over the last 600 seconds.10 drops/sec over the last 20 second period. 4 drops/sec over the last 3600 seconds.8 drops/sec over the last 120 second period. Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)100 drops/sec over the last 600 seconds.200 drops/sec over the last 20 second period. 80 drops/sec over the last 3600 seconds.160 drops/sec over the last 120 second period. Denial by ACLs 400 drops/sec over the last 600 seconds.800 drops/sec over the last 20 second period. 320 drops/sec over the last 3600 seconds.640 drops/sec over the last 120 second period. Basic firewall checks failed Packets failed application inspection400 drops/sec over the last 600 seconds.1600 drops/sec over the last 20 second period. 320 drops/sec over the last 3600 seconds.1280 drops/sec over the last 120 second period.
27-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Configuring Basic Threat Detection Statistics This section describes how to configure basic threat detection statistics, including enabling or disabling it and changing the default limits. Detailed Steps Step 1To enable or disable basic threat detection, choose the Configuration > Firewall > Threat Detection pane, and check the Enable Basic Threat Detection check box. Step 2Click Apply. Monitoring Basic Threat Detection Statistics To monitor basic threat detection statistics, perform the following task:Interface overload 2000 drops/sec over the last 600 seconds.8000 drops/sec over the last 20 second period. 1600 drops/sec over the last 3600 seconds.6400 drops/sec over the last 120 second period. Table 27-1 Basic Threat Detection Default Settings (continued) Packet Drop ReasonTrigger Settings Average Rate Burst Rate Path Purpose Home > Firewall Dashboard > Traffic OverviewDisplays basic threat detection statistics. For a description of each event type, see the “Information About Basic Threat Detection Statistics” section on page 27-2.
27-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection Statistics Table 27-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Configuring Advanced Threat Detection Statistics You can configure the ASA to collect extensive statistics. This section includes the following topics: Information About Advanced Threat Detection Statistics, page 27-5 Guidelines and Limitations, page 27-5 Default Settings, page 27-6 Configuring Advanced Threat Detection Statistics, page 27-6 Monitoring Advanced Threat Detection Statistics, page 27-7 Feature History for Advanced Threat Detection Statistics, page 27-8 Information About Advanced Threat Detection Statistics Advanced threat detection statistics show both allowed and dropped traffic rates for individual objects such as hosts, ports, protocols, or ACLs. CautionEnabling advanced statistics can affect the ASA performance, depending on the type of statistics enabled. Enabling host statistics affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. Port statistics, however, has modest impact. Guidelines and Limitations This section includes the guidelines and limitations for this feature: Table 27-2 Feature History for Basic Threat Detection Statistics Feature NamePlatform Releases Feature Information Basic threat detection statistics 8.0(2) Basic threat detection statistics was introduced. The following screen was introduced: Configuration > Firewall > Threat Detection, Home > Firewall Dashboard > Traffic Overview. Burst rate interval changed to 1/30th of the average rate.8.2(1) In earlier releases, the burst rate interval was 1/60th of the average rate. To maximize memory usage, the sampling interval was reduced to 30 times during the average rate. Improved memory usage 8.3(1) The memory usage for threat detection was improved.
27-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are available in multiple mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection. Default Settings By default, statistics for ACLs are enabled. Configuring Advanced Threat Detection Statistics By default, statistics for ACLs are enabled. To enable other statistics, perform the following steps. Detailed Steps Step 1Choose the Configuration > Firewall > Threat Detection pane. Step 2In the Scanning Threat Statistics area, choose one of the following options: Enable all statistics—Click the Enable All Statistics radio button. Disable all statistics—Click the Disable All Statistics radio button. Enable only certain statistics—Click the Enable Only Following Statistics radio button. Step 3If you chose to Enable Only Following Statistics, then check one or more of the following check boxes: Hosts—Enables host statistics. The host statistics accumulate for as long as the host is active and in the scanning threat host database. The host is deleted from the database (and the statistics cleared) after 10 minutes of inactivity. Access Rules (enabled by default)—Enables statistics for access rules. Port—Enables statistics for TCP and UDP ports. Protocol—Enables statistics for non-TCP/UDP IP protocols. TCP-Intercept—Enables statistics for attacks intercepted by TCP Intercept (see the “Configuring Connection Settings” section on page 22-8 to enable TCP Intercept). Step 4For host, port, and protocol statistics, you can change the number of rate intervals collected. In the Rate Intervals area, choose 1 hour, 1 and 8 hours, or 1, 8 and 24 hours for each statistics type. The default interval is 1 hour, which keeps the memory usage low. Step 5For TCP Intercept statistics, you can set the following options in the TCP Intercept Threat Detection area: Monitoring Window Size—Sets the size of the history monitoring window, between 1 and 1440 minutes. The default is 30 minutes. The ASA samples the number of attacks 30 times during the rate interval, so for the default 30 minute period, statistics are collected every 60 seconds.
27-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Burst Threshold Rate—Sets the threshold for syslog message generation, between 25 and 2147483647. The default is 400 per second. When the burst rate is exceeded, syslog message 733104 is generated. Average Threshold Rate—Sets the average rate threshold for syslog message generation, between 25 and 2147483647. The default is 200 per second. When the average rate is exceeded, syslog message 733105 is generated. Click Set Default to restore the default values. Step 6Click Apply. Monitoring Advanced Threat Detection Statistics To monitor advanced threat detection statistics, perform one of the following tasks: Path Purpose Home > Firewall Dashboard > Top 10 Access Rules Home > Firewall Dashboard > Top Usage StatisticsDisplays the top 10 statistics. For the Top 10 Access Rules, permitted and denied traffic are not differentiated in this display. In the Traffic Overview > Dropped Packets Rate graph, you can track ACL denies. The Top 10 Sources and Top 10 Destinations tabs show statistics for hosts. Note: Due to the threat detction algorithm, an interface used as a combination failover and state link could appear in the top 10 hosts; this is expected behavior, and you can ignore this IP address in the display. The Top 10 Services tab shows statistics for both ports and protocols (both must be enabled for the display), and shows the combined statistics of TCP/UDP port and IP protocol types. TCP (protocol 6) and UDP (protocol 17) are not included in the display for IP protocols; TCP and UDP ports are, however, included in the display for ports. If you only enable statistics for one of these types, port or protocol, then you will only view the enabled statistics. The Top Ten Protected Servers under SYN Attack area shows the TCP Intercept statistics. The display includes the top 10 protected servers under attack. The detail button shows history sampling data. The ASA samples the number of attacks 30 times during the rate interval, so for the default 30 minute period, statistics are collected every 60 seconds. From the Interval drop-down list, choose Last 1 hour, Last 8 hour, or Last 24 hour.
27-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Feature History for Advanced Threat Detection Statistics Table 27-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Configuring Scanning Threat Detection This section includes the following topics: Information About Scanning Threat Detection, page 27-9 Guidelines and Limitations, page 27-9 Default Settings, page 27-10 Configuring Scanning Threat Detection, page 27-10 Table 27-3 Feature History for Advanced Threat Detection Statistics Feature NamePlatform Releases Feature Information Advanced threat detection statistics 8.0(2) Advanced threat detection statistics was introduced. The following screens were introduced: Configuration > Firewall > Threat Detection, Home > Firewall Dashboard > Top 10 Access Rules, Home > Firewall Dashboard > Top Usage Status, Home > Firewall Dashboard > Top 10 Protected Servers Under SYN Attack. TCP Intercept statistics 8.0(4)/8.1(2) TCP Intercept statistics were introduced. The following screens were introduced or modified: Configuration > Firewall > Threat Detection, Home > Firewall Dashboard > Top 10 Protected Servers Under SYN Attack. Customize host statistics rate intervals 8.1(2) You can now customize the number of rate intervals for which statistics are collected. The default number of rates was changed from 3 to 1. The following screen was modified: Configuration > Firewall > Threat Detection. Burst rate interval changed to 1/30th of the average rate.8.2(1) In earlier releases, the burst rate interval was 1/60th of the average rate. To maximize memory usage, the sampling interval was reduced to 30 times during the average rate. Customize port and protocol statistics rate intervals8.3(1) You can now customize the number of rate intervals for which statistics are collected. The default number of rates was changed from 3 to 1. The following screen was modified: Configuration > Firewall > Threat Detection. Improved memory usage 8.3(1) The memory usage for threat detection was improved.