Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1396
Views
0
Helpful
1
Replies

ASA Automatically Blacklist from a list of IPs?

Jon Baumann
Level 1
Level 1

‎05-11-2017 06:23 AM - edited ‎03-12-2019 02:20 AM

So I have a list of malicious IPv4 addresses (botnet/scanning traffic) that I would like to feed into my ASA automatically in order to blacklist. The list is very long (1M+ entries) and is being dynamically updated. Is there a good way to do this? Or is there perhaps a separate tool that could do this? The list is simply a text file with one address per line. I have thought about possibly doing this with a script via the "shun" command, but this seems messy and I don't know how well the ASA will support having over a million shun entries. The ASA is a 5545X running 9.7(1). 

Also, for those that may be wondering, this is a special case where we cannot outright block all traffic on a particular port to prevent this scanning, but rather have to identify the bad actors and blacklist them individually. The ASA has threat-detection turned on which we have looked at, as well as firepower. Neither one of these were able to meet our needs in this case.

Any help would be greatly appreciated!

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎05-11-2017 06:56 AM

If I had to do it, I would more than likely use the ASA's REST API. There are a couple of examples here on the forums or I could maybe help you build something. PM me if you want to go that route.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card