cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
111
Views
1
Helpful
1
Replies

New threat-detection service: can i specify a shun duration?

joachimj
Level 1
Level 1

Hello,

in ASA Version 9.20(3)7 we tested the new threat-detection service
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/222315-configure-threat-detection-services-for.html

threat-detection service invalid-vpn-access
threat-detection service remote-access-authentication hold-down 10 threshold 20
threat-detection service remote-access-client-initiations hold-down 10 threshold 20

After 20 login-attempts with wrong passwort i see the IP is shunned.
# show shun
shun (Outside) 1.2.3.4 0.0.0.0 0 0 0
Log shows
%ASA-4-401002: Shun added: 1.2.3.4 0.0.0.0 0 0
%ASA-3-733201: Threat-detection: Service[remote-access-authentication] Peer[1.2.3.4]: failure threshold of 20 exceeded: adding shun to interface Outside. WEBVPN: Failed AAA authentication

It seems, the shun is kept forever until we clear it manually.

My Question: is it possible to limit the duration of the shun?

1 Accepted Solution

Accepted Solutions

@joachimj no there is no shun specific command to configure to set the duration of the shun. The shun is in place until manually removed or the ASA is reboot.

Perhaps use an EEM script to schedule a removal of the shun at a certain time/day?

View solution in original post

1 Reply 1

@joachimj no there is no shun specific command to configure to set the duration of the shun. The shun is in place until manually removed or the ASA is reboot.

Perhaps use an EEM script to schedule a removal of the shun at a certain time/day?

Review Cisco Networking for a $25 gift card