27-6
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 27 Configuring Threat Detection
Configuring Advanced Threat Detection Statistics
Security Context Guidelines
Only TCP Intercept statistics are available in multiple mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Default Settings
By default, statistics for ACLs are enabled.
Configuring Advanced Threat Detection Statistics
By default, statistics for ACLs are enabled. To enable other statistics, perform the following steps.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Threat Detection pane.
Step 2 In the Scanning Threat Statistics area, choose one of the following options:
• Enable all statistics—Click the Enable All Statistics radio button.
• Disable all statistics—Click the Disable All Statistics radio button.
• Enable only certain statistics—Click the Enable Only Following Statistics radio button.
Step 3 If you chose to Enable Only Following Statistics, then check one or more of the following check boxes:
• Hosts—Enables host statistics. The host statistics accumulate for as long as the host is active and in
the scanning threat host database. The host is deleted from the database (and the statistics cleared)
after 10 minutes of inactivity.
• Access Rules (enabled by default)—Enables statistics for access rules.
• Port—Enables statistics for TCP and UDP ports.
• Protocol—Enables statistics for non-TCP/UDP IP protocols.
• TCP-Intercept—Enables statistics for attacks intercepted by TCP Intercept (see the “Configuring
Connection Settings” section on page 22-8 to enable TCP Intercept).
Step 4 For host, port, and protocol statistics, you can change the number of rate intervals collected. In the Rate
Intervals area, choose 1 hour, 1 and 8 hours, or 1, 8 and 24 hours for each statistics type. The default
interval is 1 hour, which keeps the memory usage low.
Step 5 For TCP Intercept statistics, you can set the following options in the TCP Intercept Threat Detection
area:
• Monitoring Window Size—Sets the size of the history monitoring window, between 1 and 1440
minutes. The default is 30 minutes. The ASA samples the number of attacks 30 times during the rate
interval, so for the default 30 minute period, statistics are collected every 60 seconds.