Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
4
Replies

ASA 5510 Threat Detection - determining source

kent
Level 1
Level 1

‎07-09-2016 10:14 AM - edited ‎03-12-2019 01:00 AM

Hi,

I am using an ASA 5510 on our home/office network as firewall and router.  Over the past hour the top usage status is showing 8+ million packet hits for HTTP traffic.  That seems huge for a Saturday when no one is in the office and I only have 3 people at home.  

I enabled the threat detection and it started blocking things like iPhone software updates.  I added our internal network to the shun exclusion list.  

I'm trying to figure out if these are attempted traffic coming to our site or some type of infected device inside my network going out.

Do you have any suggestions for me for determining where the issue is?  I tried using the demo of FirePlotter, but it hasn't helped me track down the source.

Any help would be greatly appreciated!

Thank you!

--Kent

Labels:
0 Helpful
4 Replies 4

johnd2310
Level 8
Level 8

‎07-10-2016 06:26 PM

Hi,

Setup a syslog server for your network and configure the ASA to log to it. Use the logging trap informational command to send detailed log to the syslog server. Analyse the syslog messages to see which devices are generating most of the traffic and to what destinations traffic is going.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

kent
Level 1
Level 1
In response to johnd2310

‎07-11-2016 03:52 PM

What tool do you recommend for analyzing the syslog traffic?

0 Helpful

Ahmad Khalifa
Level 1
Level 1
In response to kent

‎09-26-2016 02:18 PM

hey 

i am using syslog watcher, try it 

0 Helpful

Gianluca Fedele
Level 1
Level 1

‎08-03-2016 11:05 AM

Hi, I have a similar problem, a MacBook in our network is being shunned many times per day by our ASA.

Every times this MacBook stop acessing internet the command show shun on CLI gives me the IP address of this computer, so we perform a no shun to free him.

On CLI the command show threat-detection statistics host gives me a detailed output as snapshot attached. I understand this MacBook activated 5 times the TRIGGER in last 20 minutes, that`s why it is being shunned every day.

My question is, how do I understand which triggers he activated?

I don`t know if the MacBook is really doing something wrong, or if it is just an excessive retricting rule on ASA.

Preview file
23 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card