topic ASA: Threat-detection scanning-threat SHUN blocking our scan tools in Network Security https://community.cisco.com/t5/network-security/asa-threat-detection-scanning-threat-shun-blocking-our-scan/m-p/4585380#M1088922 <P>Hi,</P><P>&nbsp;</P><P>I'm trying to assist a neighboring company.</P><P>They have Threat-detection scanning-threat SHUN enabled on their ASA devices.</P><P>With this enabled they are no longer able to use scanning tools like ACAS to check outside devices they monitor.</P><P>Currently I only have "Threat-detection scanning-threat" enabled on our ASA's so i cannot comment on the effects I am seeing.</P><P>This is a STIG requirement so I will have to implement it.</P><P>&nbsp;</P><P>Does anyone know a way to get around this command blocking scanning tools?</P><P>&nbsp;</P><P>Thank you</P> Mon, 04 Apr 2022 15:44:37 GMT KGrev 2022-04-04T15:44:37Z ASA: Threat-detection scanning-threat SHUN blocking our scan tools https://community.cisco.com/t5/network-security/asa-threat-detection-scanning-threat-shun-blocking-our-scan/m-p/4585380#M1088922 <P>Hi,</P><P>&nbsp;</P><P>I'm trying to assist a neighboring company.</P><P>They have Threat-detection scanning-threat SHUN enabled on their ASA devices.</P><P>With this enabled they are no longer able to use scanning tools like ACAS to check outside devices they monitor.</P><P>Currently I only have "Threat-detection scanning-threat" enabled on our ASA's so i cannot comment on the effects I am seeing.</P><P>This is a STIG requirement so I will have to implement it.</P><P>&nbsp;</P><P>Does anyone know a way to get around this command blocking scanning tools?</P><P>&nbsp;</P><P>Thank you</P> Mon, 04 Apr 2022 15:44:37 GMT https://community.cisco.com/t5/network-security/asa-threat-detection-scanning-threat-shun-blocking-our-scan/m-p/4585380#M1088922 KGrev 2022-04-04T15:44:37Z Re: ASA: Threat-detection scanning-threat SHUN blocking our scan tools https://community.cisco.com/t5/network-security/asa-threat-detection-scanning-threat-shun-blocking-our-scan/m-p/4585528#M1088935 <P>Hi,</P><P>&nbsp;</P><P>Found the answer to my question.</P><P>For anyone who is curious, cisco provides this in their setup guide:</P><P>"</P><P>In some cases, you may still want to prevent the ASA from shunning certain IPs. In order to do this, create an exception with the <STRONG>threat-detection scanning-threat shun except</STRONG> command.</P><PRE>ciscoasa(config)# <STRONG>threat-detection scanning-threat shun except ip-address 10.1.1.1 255.255.255.255</STRONG><BR />ciscoasa(config)# <STRONG>threat-detection scanning-threat shun except object-group no-shun</STRONG></PRE> Mon, 04 Apr 2022 19:20:31 GMT https://community.cisco.com/t5/network-security/asa-threat-detection-scanning-threat-shun-blocking-our-scan/m-p/4585528#M1088935 KGrev 2022-04-04T19:20:31Z