topic Re: Botnet Filter with multiple Context Mode in Network Security

Botnet Filter with multiple Context Mode

hwetzelwtg — Mon, 11 Mar 2019 23:57:53 GMT

We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.

How should be the Botnet Filter configured in Multiple Context Mode?

Thanks for any response in advance.

Botnet Filter with multiple Context Mode

Jennifer Halim — Sun, 23 Sep 2012 14:35:11 GMT

Botnet filter should be configured under each context as system context is not actually a data context where the actual traffic is passing through.

Here is a sample configuration on multiple context mode:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_botnet.html#wp1350582

Hope that helps.

Re: Botnet Filter with multiple Context Mode

hwetzelwtg — Sun, 23 Sep 2012 15:35:08 GMT

Thanks!

Well this I tried before too. Here the result:

dynamic-filter updater-client

can only be set in the system context. If you do so, you get a no dns server availabe response.

As described in the document you posted all other settings are made in the needed context.

Output from system context:

show dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server URL is https://update-manifests.ironport.com

Application name: threatcast, version: 1.0

Encrypted UDI: xxxx

Last update attempted at 17:28:45 CEDT Sep 23 2012,

with result: Failed to connect to updater server

Next update is in 00:50:59

No database file

Re: Botnet Filter with multiple Context Mode

Jennifer Halim — Mon, 24 Sep 2012 13:25:49 GMT

You would need to specify the dns server in order to resolve the update server database. Have you configured the dns server on one of the context?

Re: Botnet Filter with multiple Context Mode

hwetzelwtg — Mon, 24 Sep 2012 16:02:39 GMT

Yes, all contexts have a valid DNS except admin and system context.

Re: Botnet Filter with multiple Context Mode

Jennifer Halim — Tue, 25 Sep 2012 08:58:32 GMT

From the ASA, can you please try to ping the following:

update-manifests.ironport.com

updates.ironport.com

Are you using an internal or external DNS server? and are you able to ping the DNS server?

Pls kindly share your context configuration that has the DNS server configured.

Do you also have "dns domain-lookup " configured?

Re: Botnet Filter with multiple Context Mode

hwetzelwtg — Thu, 27 Sep 2012 16:34:14 GMT

sh run | grep dns

dns domain-lookup T-COM

dns domain-lookup COLT

dns server-group DefaultDNS

policy-map type inspect dns preset_dns_map

inspect dns preset_dns_map

ping update-manifests.ironport.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms

ping updates.ironport.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:

!!!!!

ASA Version 8.4(2)

hostname DE-VM-TER-FW-02

enable password 8Ry2Yj8765U24 encrypted

passwd 2KFQnb6IdI.2KY75 encrypted

names

interface GigabitEthernet0/0.3207

nameif TR_v207

security-level 50

ip address 10.28.6.60 255.255.255.248

interface GigabitEthernet0/0.3208

nameif TR_v208

security-level 70

ip address 10.28.6.68 255.255.255.248

interface GigabitEthernet0/0.3209

nameif TR_v209

security-level 80

ip address 10.28.6.76 255.255.255.248

interface GigabitEthernet0/0.3210

nameif TR_v210

security-level 90

ip address 10.28.6.84 255.255.255.248

interface GigabitEthernet0/1

nameif COLT

security-level 0

ip address 217.111.58.46 255.255.255.240

interface GigabitEthernet0/3

nameif T-COM

security-level 0

ip address 194.25.250.94 255.255.255.240

dns domain-lookup T-COM

dns domain-lookup COLT

dns server-group DefaultDNS

name-server 8.8.8.8

object network COLT_dynamic_NAT

subnet 0.0.0.0 0.0.0.0

object network T-COM_dynamiy_NAT

subnet 0.0.0.0 0.0.0.0

object-group network DM_INLINE_NETWORK_1

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

access-list COLT_access_in extended deny ip any any

access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https

access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https

access-list T-COM_access_in extended deny ip any any

access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1

access-list TR_3208_access_in extended permit ip any any

access-list TR_3208_access_in extended permit icmp any any

access-list TR_v207_access_in extended deny ip any any

access-list TR_v210_access_in extended deny ip any any

access-list TR_v209_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu TR_v208 1500

mtu T-COM 1500

mtu COLT 1500

mtu TR_v207 1500

mtu TR_v210 1500

mtu TR_v209 1500

ip verify reverse-path interface T-COM

ip verify reverse-path interface COLT

ipv6 access-list TR_v207_access_ipv6_in deny ip any any

ipv6 access-list TR_v208_access_ipv6_in deny ip any any

ipv6 access-list TR_v209_access_ipv6_in deny ip any any

ipv6 access-list TR_v210_access_ipv6_in deny ip any any

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network COLT_dynamic_NAT

nat (any,COLT) dynamic interface

object network T-COM_dynamiy_NAT

nat (any,T-COM) dynamic interface

access-group TR_3208_access_in in interface TR_v208

access-group TR_v208_access_ipv6_in in interface TR_v208

access-group T-COM_access_in in interface T-COM

access-group COLT_access_in in interface COLT

access-group TR_v207_access_in in interface TR_v207

access-group TR_v207_access_ipv6_in in interface TR_v207

access-group TR_v210_access_in in interface TR_v210

access-group TR_v210_access_ipv6_in in interface TR_v210

access-group TR_v209_access_in in interface TR_v209

access-group TR_v209_access_ipv6_in in interface TR_v209

route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1

route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20

route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

no threat-detection statistics tcp-intercept

dynamic-filter use-database

dynamic-filter enable interface T-COM

dynamic-filter enable interface COLT

dynamic-filter drop blacklist interface T-COM

dynamic-filter drop blacklist interface COLT

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map dynamic-filter-snoop

service-policy global_policy global

Cryptochecksum:7bbe975fb39e189e99d8878787a0037

: end

System Context

dynamic-filter updater-client enable

Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured

Re: Botnet Filter with multiple Context Mode

hwetzelwtg — Tue, 09 Oct 2012 10:37:38 GMT

Solution:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146788

System Configuration

The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

So now it works! The Admin context need to have Internet access and DNS defined.