04-18-2016 07:10 AM - edited 03-12-2019 12:37 AM
Hello All,
I am observing some 150-300 scanning Attacks on my Cisco ASA firewall.
I have enabled threat-detection scanning-threat,however the attacks don't decrease.
I am just curious whether these are normal or something can be done to fix this.
Thanks
04-18-2016 07:36 AM
Hi there,
Enabling 'threat-detection scanning-threat' will only build a database of possible attackers which can produce detailed reports. Using this detail you can choose to shun those attackers, but an additional keyword is required:
threat-detection scanning-threat shun
Further information can be found here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html
cheers,
Seb.
04-18-2016 11:14 PM
thanks Seb for the info...
i did the same however the scanning attacking are still there...
any idea how to fix that....
thanks
04-18-2016 11:28 PM
i used the command "threat-detection scanning-threat shun duration 259200"
need to know will this command shun all those present in the attacker database...
let me know...
thanks
04-19-2016 12:15 AM
That number added is the length of the Shun in seconds............
So for each attacker detected the ASA will shun the host for 259200 seconds (4320 minutes) which is a long time. This could be legitimate traffic too. I would recommend you investigate the perceived attacks.
04-19-2016 02:47 AM
Hello,
I checked the traffic and found some hosts from my internal lan which later i put in the shun except list......but now iam concerned with the users who are accessing from outside and are legitimate....how to fix that if they find themselves in the shun list....
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide