Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
1
Replies

ASA: Threat-detection scanning-threat SHUN blocking our scan tools

KGrev
Level 4
Level 4

‎04-04-2022 08:44 AM

Hi,

 

I'm trying to assist a neighboring company.

They have Threat-detection scanning-threat SHUN enabled on their ASA devices.

With this enabled they are no longer able to use scanning tools like ACAS to check outside devices they monitor.

Currently I only have "Threat-detection scanning-threat" enabled on our ASA's so i cannot comment on the effects I am seeing.

This is a STIG requirement so I will have to implement it.

 

Does anyone know a way to get around this command blocking scanning tools?

 

Thank you

0 Helpful
1 Reply 1

KGrev
Level 4
Level 4

‎04-04-2022 12:20 PM

Hi,

 

Found the answer to my question.

For anyone who is curious, cisco provides this in their setup guide:

"

In some cases, you may still want to prevent the ASA from shunning certain IPs. In order to do this, create an exception with the threat-detection scanning-threat shun except command.

ciscoasa(config)# threat-detection scanning-threat shun except ip-address 10.1.1.1 255.255.255.255
ciscoasa(config)# threat-detection scanning-threat shun except object-group no-shun
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card