10-16-2018 06:02 PM - edited 02-21-2020 08:21 AM
ello Everyone,
We have a plain ASA (no ids/ips, firepower), we want to determine if the device is being port scanned. Did some quick scan (nmap) and all i see by filtering the device that im scanning it from is this
%ASA-4-313009: Denied invalid ICMP code 9, for outside:scanner.ip.address/6523 (scanner.ip.address/6523) to identity:asa.outside.ip/0 (asa.outside.ip/0), ICMP id 295, ICMP type 8
There were no significant increase in the logs, no spikes in count, sessions and health (movement) as well.
What event/s or logs messages should we watch out for if the device if being scanned?
Thanks in advance
10-16-2018 10:16 PM
Hi,
You might need to enable a few things to detect scans.
You can then look at the "Denied" and "Scanning" messages in the log
Thanks
John
10-16-2018 11:33 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide