Filter
Top Products
27-4
Cisco ASDM User Guide
OL-16647-01
Chapter 27 Configuring Advanced Firewall Protection
Configuring Threat Detection
Caution The scanning threat detection feature can affect the security appliance performance and memory
significantly while it creates and gathers host- and subnet-based data structure and information.
To configure scanning threat detection, perform the following steps:
Step 1 To enable scanning threat detection, on the Configuration > Firewall > Threat Detection pane, click the
Enable Scanning Threat Detection check box.
By default, the system log message 730101 is generated when a host is identified as an attacker.
The security appliance identifies a host as an attacker or as a target if the scanning threat rate is exceeded.
The security appliance tracks two types of rates: the average event rate over an interval, and the burst
event rate over a shorter burst interval. The burst event rate is 1/60th of the average rate interval or 10
seconds, whichever is higher. For each event detected that is considered to be part of a scanning attack,
the security appliance checks the average and burst rate limits. If either rate is exceeded for traffic sent
from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received
by a host, then that host is considered to be a target.
Table 27-2 lists the default rate limits for scanning threat detection.
Step 2 (Optional) To automatically terminate a host connection when the security appliance identifies the host
as an attacker, check the Shun Hosts detected by scanning threat check box.
Step 3 (Optional) To except host IP addresses from being shunned, enter an address in the Networks excluded
from shun field.
You can enter multiple addresses or subnets separated by commas. To choose a network from the list of
IP address objects, click the ... button.
Step 4 (Optional) To set the duration of a shun for an attacking host, check Set Shun Duration and enter a value
between 10 and 2592000 seconds. The default length is 3600 seconds (1 hour). To restore the default
value, click Set Default.
Configuring Threat Statistics
You can configure the security appliance to collect extensive statistics. Threat detection statistics show
both allowed and dropped traffic rates. By default, statistics for access lists are enabled.
To view threat detection statistics, see the “Firewall Dashboard Tab” section on page 1-20.
Table 27-2 Default Rate Limits for Scanning Threat Detection
Average Rate Burst Rate
5 drops/sec over the last 600 seconds. 10 drops/sec over the last 10 second period.
5 drops/sec over the last 3600 seconds. 10 drops/sec over the last 60 second period.