Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
0
Helpful
1
Replies

Blocking certain reverse lookup domains on FTD

kossuth78
Level 1
Level 1

‎09-13-2024 06:40 AM

In short we have some public facing services that we have users connect to externally.  These users predominantly are connecting from various means and locations within the country.  Geo filters are about as effective as a screen door on a submarine.  I'm seeing alot of inbound scans from the following domains and quite frankly would like to make it go away.

stretchoid.com, leakix.org, shadowserver.org.  I've also seen instances of these scans coming from AWS EC2 instances.  Because these are likely load balanced/cloud based services the IP can change at any moment and pop up someplace else so filtering by IP is also a dubious approach.  

I've attempted using the URL filter policy and haven't had any luck getting that to work being that's seemingly a destination only filter.  I want to filter based on the source domain. 

Is there a way to do this without negatively impacting the performance of the box?  

0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎09-16-2024 12:50 AM

Have you considered using the portscan detection function under the ACP > Advanced > Threat Detection ?  Here is a document for your reference.

https://secure.cisco.com/secure-firewall/docs/port-scan-detection

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card