27-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 27 Configuring Threat Detection
Configuring Basic Threat Detection Statistics
For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded,
then the ASA sends two separate system messages, with a maximum of one message for each rate type
per burst period.
Basic threat detection affects performance only when there are drops or potential threats; even in this
scenario, the performance impact is insignificant.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Security Context Guidelines
Supported in single mode only. Multiple mode is not supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Default Settings
Basic threat detection statistics are enabled by default.
Table 27-1 lists the default settings. You can view all these default settings using the show
running-config all threat-detection command.
Table 27-1 Basic Threat Detection Default Settings
Packet Drop Reason
Trigger Settings
Average Rate Burst Rate
• DoS attack detected
• Bad packet format
• Connection limits exceeded
• Suspicious ICMP packets
detected
100 drops/sec over the last 600
seconds.
400 drops/sec over the last 20
second period.
80 drops/sec over the last 3600
seconds.
320 drops/sec over the last 120
second period.
Scanning attack detected 5 drops/sec over the last 600
seconds.
10 drops/sec over the last 20
second period.
4 drops/sec over the last 3600
seconds.
8 drops/sec over the last 120
second period.
Incomplete session detected such as
TCP SYN attack detected or no data
UDP session attack detected
(combined)
100 drops/sec over the last 600
seconds.
200 drops/sec over the last 20
second period.
80 drops/sec over the last 3600
seconds.
160 drops/sec over the last 120
second period.