Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1426
Views
0
Helpful
5
Replies

Scanning Attacks on Cisco ASA Firewall

mudasir05
Level 1
Level 1

‎04-18-2016 07:10 AM - edited ‎03-12-2019 12:37 AM

Hello All,

I am observing some 150-300 scanning Attacks on my Cisco ASA firewall.

I have enabled threat-detection scanning-threat,however the attacks don't decrease.

I am just curious whether these are normal or something can be done to fix this.

Thanks

Labels:
0 Helpful
5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

‎04-18-2016 07:36 AM

Hi there,

Enabling 'threat-detection scanning-threat' will only build a database of possible attackers which can produce detailed reports. Using this detail you can choose to shun those attackers, but an additional keyword is required:

threat-detection scanning-threat shun

Further information can be found here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html

cheers,

Seb.

0 Helpful

mudasir05
Level 1
Level 1
In response to Seb Rupik

‎04-18-2016 11:14 PM

thanks Seb for the info...

i did the same however the scanning attacking are still there...

any idea how to fix that....

thanks

0 Helpful

mudasir05
Level 1
Level 1
In response to mudasir05

‎04-18-2016 11:28 PM

i used the command "threat-detection scanning-threat shun duration 259200"

need to know will this command shun all those present in the attacker database...

let me know...

thanks

0 Helpful

Andre Neethling
Level 4
Level 4
In response to mudasir05

‎04-19-2016 12:15 AM

That number added is the length of the Shun in seconds............

So for each attacker detected the ASA will shun the host for 259200 seconds (4320 minutes) which is a long time. This could be legitimate traffic too. I would recommend you investigate the perceived attacks.

0 Helpful

mudasir05
Level 1
Level 1
In response to Andre Neethling

‎04-19-2016 02:47 AM

Hello,

I checked the traffic and found some hosts from my internal lan which later i put in the shun except list......but now iam concerned with the users who are accessing from outside and are legitimate....how to fix that if they find themselves in the shun list....

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card