26-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 26 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Recommended Configuration
Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use
of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 26-10). Without DNS
snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus
any IP addresses in the dynamic database; domain names in the dynamic database are not used.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and
enabling dropping of traffic with a severity of moderate and higher. See the “Examples” section for the
recommended commands used for this configuration.
Detailed Steps
Command Purpose
Step 1
(Optional)
access-list access_list_name extended
{deny | permit} protocol source_address
mask [operator port] dest_address mask
[operator port]
Example:
ciscoasa(config)# access-list
dynamic-filter_acl extended permit tcp any
any eq 80
ciscoasa(config)# access-list
dynamic-filter_acl_subset extended permit
tcp 10.1.1.0 255.255.255.0 any eq 80
Identifies the traffic that you want to monitor or drop. If you do
not create an ACL for monitoring, by default you monitor all
traffic. You can optionally use an ACL to identify a subset of
monitored traffic that you want to drop; be sure the ACL is a
subset of the monitoring ACL. See Chapter 19, “Adding an
Extended Access Control List,” in the general operations
configuration guide for more information about creating an ACL.
Step 2
dynamic-filter enable [interface name]
[classify-list access_list]
Example:
ciscoasa(config)# dynamic-filter enable
interface outside classify-list
dynamic-filter_acl
Enables the Botnet Traffic Filter; without any options, this
command monitors all traffic.
We recommend enabling the Botnet Traffic Filter on all traffic on
the Internet-facing interface using the interface keyword.
You can optionally limit monitoring to specific traffic by using the
classify-list keyword with an ACL.
You can enter this command one time for each interface and one
time for the global policy (where you do not specify the interface
keyword). Each interface and global command can have an
optional classify-list keyword. Any interface-specific commands
take precedence over the global command.