Filter
Top Products
26-20
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 26 Configuring the Botnet Traffic Filter
Configuration Examples for the Botnet Traffic Filter
ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside
ciscoasa(config)# dynamic-filter enable interface outside
ciscoasa(config)# dynamic-filter drop blacklist interface outside
The following recommended example configuration for multiple context mode enables the Botnet
Traffic Filter for two contexts:
Example 26-2 Multiple Mode Botnet Traffic Filter Recommended Example
ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# changeto context context1
ciscoasa/context1(config)# dynamic-filter use-database
ciscoasa/context1(config)# class-map dynamic-filter_snoop_class
ciscoasa/context1(config-cmap)# match port udp eq domain
ciscoasa/context1(config-cmap)# policy-map dynamic-filter_snoop_policy
ciscoasa/context1(config-pmap)# class dynamic-filter_snoop_class
ciscoasa/context1(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa/context1(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface
outside
ciscoasa/context1(config)# dynamic-filter enable interface outside
ciscoasa/context1(config)# dynamic-filter drop blacklist interface outside
ciscoasa/context1(config)# changeto context context2
ciscoasa/context2(config)# dynamic-filter use-database
ciscoasa/context2(config)# class-map dynamic-filter_snoop_class
ciscoasa/context2(config-cmap)# match port udp eq domain
ciscoasa/context2(config-cmap)# policy-map dynamic-filter_snoop_policy
ciscoasa/context2(config-pmap)# class dynamic-filter_snoop_class
ciscoasa/context2(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa/context2(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface
outside
ciscoasa/context2(config)# dynamic-filter enable interface outside
ciscoasa/context2(config)# dynamic-filter drop blacklist interface outside
Other Configuration Examples
The following sample configuration adds static entries are to the blacklist and to the whitelist. Then, it
monitors all port 80 traffic on the outside interface, and drops blacklisted traffic. It also treats greylist
addresses as blacklisted addresses.
ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# changeto context context1
ciscoasa/context1(config)# dynamic-filter use-database
ciscoasa/context1(config)# class-map dynamic-filter_snoop_class
ciscoasa/context1(config-cmap)# match port udp eq domain
ciscoasa/context1(config-cmap)# policy-map dynamic-filter_snoop_policy
ciscoasa/context1(config-pmap)# class dynamic-filter_snoop_class
ciscoasa/context1(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa/context1(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface
outside
ciscoasa/context1(config-pmap-c)# dynamic-filter blacklist
ciscoasa/context1(config-llist)# name bad1.example.com
ciscoasa/context1(config-llist)# name bad2.example.com