Cisco Systems ASA 5580 Webcam User Manual


 
26-11
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 26 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
When an address matches, the ASA sends a syslog message. The only additional action currently
available is to drop the connection.
Prerequisites
In multiple context mode, perform this procedure in the context execution space.
Recommended Configuration
Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use
of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 26-9). Without DNS
snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus
any IP addresses in the dynamic database; domain names in the dynamic database are not used.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and
enabling dropping of traffic with a severity of moderate and higher.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Botnet Traffic Filter > Traffic Settings pane.
Step 2 To enable the Botnet Traffic Filter on specified traffic, perform the following steps:
a. In the Traffic Classification area, check the Traffic Classified check box for each interface on which
you want to enable the Botnet Traffic Filter.
You can configure a global classification that applies to all interfaces by checking the Traffic
Classified check box for Global (All Interfaces). If you configure an interface-specific
classification, the settings for that interface overrides the global setting.
b. For each interface, from the ACL Used drop-down list choose either --ALL TRAFFIC-- (the
default), or any ACL configured on the ASA.
For example, you might want to monitor all port 80 traffic on the outside interface.
To add or edit ACLs, click Manage ACL to bring up the ACL Manager. See the “Adding ACLs and
ACEs” section on page 21-2 in the general operations configuration guide for more information.
Step 3 (Optional) To treat greylisted traffic as blacklisted traffic for action purposes, in the Ambiguous Traffic
Handling area, check the Treat ambiguous (greylisted) traffic as malicious (blacklisted) traffic check
box.
If you do not enable this option, greylisted traffic will not be dropped if you configure a rule in the
Blacklisted Traffic Actions area. See the “Botnet Traffic Filter Address Types” section on page 26-2 for
more information about the greylist.
Step 4 (Optional) To automatically drop malware traffic, perform the following steps.
To manually drop traffic, see the “Blocking Botnet Traffic Manually” section on page 26-12.
a. In the Blacklisted Traffic Actions area, click Add.
The Add Blacklisted Traffic Action dialog box appears.
b. From the Interface drop-down list, choose the interface on which you want to drop traffic. Only
interfaces on which you enabled Botnet Traffic Filter traffic classification are available.
c. In the Threat Level area, choose one of the following options to drop traffic specific threat levels.
The default level is a range between Moderate and Very High.