https://community.cisco.com/t5/network-security/firewall-high-cpu-utilization-due-to-spurious-traffic/m-p/5099699#M1112312 <P>Why you not use ACL applying to Outside interface direction IN allow any to real server IP(private IP) for specific ports.</P> <P>That prevent any access to server for any other udp/tcp port and also icmp (since icmp dont have l4 ports)</P> <P>For other attack you can use thread detection&nbsp;</P> <P>Where if&nbsp; asa detect tcp&nbsp; flood is reach specific number the clinet public IP will shun for specific time or forever (depending on your config)</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html</A></P> <P>Also you can use&nbsp;</P> <P>Policy map to drop connection&nbsp;</P> <P><A href="https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c01844881" target="_blank">https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c01844881</A></P> <P>MHM</P> Fri, 10 May 2024 11:47:36 GMT MHM Cisco World 2024-05-10T11:47:36Z https://community.cisco.com/t5/network-security/firewall-high-cpu-utilization-due-to-spurious-traffic/m-p/5099634#M1112309 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JITINKALYANI_0-1715338836848.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/218027iC4865964DFF36EFE/image-size/medium?v=v2&amp;px=400" role="button" title="JITINKALYANI_0-1715338836848.png" alt="JITINKALYANI_0-1715338836848.png" /></span></P><P><STRONG>Situation</STRONG>:-</P><UL><LI>Server Will have a private IP natted with a public IP from firewall</LI><LI>Firewall outside interface will have a public IP of same pool</LI><LI>All incoming traffic on outside interface from internet will be blocked on firewall and only Client IP address will be whitelisted</LI><LI>Client will have access to 2-3 ports on server</LI></UL><P><STRONG>Requirement:-</STRONG></P><UL><LI>How to stop open discovery of public IP of firewall or server from spammers or hackers</LI><LI>If spammers try to send spurious traffic to server or firewall, how to avoid such traffic otherwise firewall CPU utilization will increase and bandwidth might also choke</LI></UL><P><STRONG>Note – </STRONG>VPN is not an option</P> Fri, 10 May 2024 11:02:51 GMT https://community.cisco.com/t5/network-security/firewall-high-cpu-utilization-due-to-spurious-traffic/m-p/5099634#M1112309 JITINKALYANI 2024-05-10T11:02:51Z https://community.cisco.com/t5/network-security/firewall-high-cpu-utilization-due-to-spurious-traffic/m-p/5099699#M1112312 <P>Why you not use ACL applying to Outside interface direction IN allow any to real server IP(private IP) for specific ports.</P> <P>That prevent any access to server for any other udp/tcp port and also icmp (since icmp dont have l4 ports)</P> <P>For other attack you can use thread detection&nbsp;</P> <P>Where if&nbsp; asa detect tcp&nbsp; flood is reach specific number the clinet public IP will shun for specific time or forever (depending on your config)</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html</A></P> <P>Also you can use&nbsp;</P> <P>Policy map to drop connection&nbsp;</P> <P><A href="https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c01844881" target="_blank">https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c01844881</A></P> <P>MHM</P> Fri, 10 May 2024 11:47:36 GMT https://community.cisco.com/t5/network-security/firewall-high-cpu-utilization-due-to-spurious-traffic/m-p/5099699#M1112312 MHM Cisco World 2024-05-10T11:47:36Z https://community.cisco.com/t5/network-security/firewall-high-cpu-utilization-due-to-spurious-traffic/m-p/5101440#M1112315 <P>What you described in the "situation" section is sufficient. Just open those 2-3 ports to the server and block everything else. By default ASA/FTD doesn't send ICMP unreachable or TCP RST in response to inbound requests which are blocked by the ACL, which makes "discovery" of the firewall a bit more difficult. Also, ASA/FTD doesn't listen on any port, unless explicitly configured to do so. Don't configure any other "protection", like threat detection, unless you want to shoot yourself in the foot.</P><P>&nbsp;</P> Fri, 10 May 2024 20:34:34 GMT https://community.cisco.com/t5/network-security/firewall-high-cpu-utilization-due-to-spurious-traffic/m-p/5101440#M1112315 tvotna 2024-05-10T20:34:34Z