cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
337
Views
0
Helpful
1
Replies

Blocking certain reverse lookup domains on FTD

kossuth78
Level 1
Level 1

In short we have some public facing services that we have users connect to externally.  These users predominantly are connecting from various means and locations within the country.  Geo filters are about as effective as a screen door on a submarine.  I'm seeing alot of inbound scans from the following domains and quite frankly would like to make it go away.

stretchoid.com, leakix.org, shadowserver.org.  I've also seen instances of these scans coming from AWS EC2 instances.  Because these are likely load balanced/cloud based services the IP can change at any moment and pop up someplace else so filtering by IP is also a dubious approach.  

I've attempted using the URL filter policy and haven't had any luck getting that to work being that's seemingly a destination only filter.  I want to filter based on the source domain. 

Is there a way to do this without negatively impacting the performance of the box?  

1 Reply 1

Have you considered using the portscan detection function under the ACP > Advanced > Threat Detection ?  Here is a document for your reference.

https://secure.cisco.com/secure-firewall/docs/port-scan-detection

 

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card