Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
59-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 59 Configuring the Botnet Traffic Filter
Default Settings
IPv6 Guidelines
Does not support IPv6.
Additional Guidelines and Limitations
TCP DNS traffic is not supported.
You can add up to 1000 blacklist entries and 1000 whitelist entries in the static database.
Default Settings
By default, the Botnet Traffic Filter is disabled, as is use of the dynamic database.
For DNS inspection, which is enabled by default, Botnet Traffic Filter snooping is disabled by default.
Configuring the Botnet Traffic Filter
This section includes the following topics:
Task Flow for Configuring the Botnet Traffic Filter, page 59-7
Configuring the Dynamic Database, page 59-8
Enabling DNS Snooping, page 59-10
Adding Entries to the Static Database, page 59-9
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 59-11
Blocking Botnet Traffic Manually, page 59-13
Searching the Dynamic Database, page 59-14
Task Flow for Configuring the Botnet Traffic Filter
To configure the Botnet Traffic Filter, perform the following steps:
Step 1 Enable use of the dynamic database. See the “Configuring the Dynamic Database” section on page 59-8.
This procedure enables database updates from the Cisco update server, and also enables use of the
downloaded dynamic database by the ASA. Disallowing use of the downloaded database is useful in
multiple context mode so you can configure use of the database on a per-context basis.
Step 2 (Optional) Add static entries to the database. See the “Adding Entries to the Static Database” section on
page 59-9.
This procedure lets you augment the dynamic database with domain names or IP addresses that you want
to blacklist or whitelist. You might want to use the static database instead of the dynamic database if you
do not want to download the dynamic database over the Internet.
Step 3 Enable DNS snooping. See the “Enabling DNS Snooping” section on page 59-10.
This procedure enables inspection of DNS packets, compares the domain name with those in the
dynamic database or the static database (when a DNS server for the ASA is unavailable), and adds the
name and IP address to the DNS reverse lookup cache. This cache is then used by the Botnet Traffic
Filter when connections are made to the suspicious address.