Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2830
Views
0
Helpful
4
Replies

scanning threat detection

Go to solution
ampowell
Level 1
Level 1

‎10-10-2011 11:18 AM - edited ‎03-11-2019 02:36 PM

I am looking for clarification about how the ASA handles scanning threats and the function of the threat detection command.  After reading the documentation the function of the "threat-detection rate" command is still unclear to me.  When does the ASA drop packets if it detects a scanning threat?  Does the "threat-detection rate scanning-threat" command affect the rate of drops or does it only affect reporting?  How can I exempt an address from being considered a scanning threat?  I suspect that the ASA is blocking connections from our imaging server even though there is an ACL to permit all connections.

Thanks for insights.

Ann

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to ampowell

‎10-12-2011 08:40 AM

Hi Ann,

David is correct in that the ASA will only drop packets for a detected scanning threat if you have the 'threat-detection scanning-threat shun' command enabled. If this was the case, you would see a shun entry for the host. If you don't see that, the threat-detection feature is not dropping any packets.

To verify if the ASA is dropping packets for these connections, you can also setup a packet capture on the inside and outside interface of the firewall. If you see packets entering the firewall that never leave, that would indicate the firewall dropped them. More details on setting up a capture can be found here:

https://supportforums.cisco.com/docs/DOC-1222

Hope that helps.

-Mike

View solution in original post

0 Helpful
4 Replies 4

Go to solution
davcommunay
Level 1
Level 1

‎10-11-2011 02:36 AM

Hi Ampowell,

This may be related to "shunned" host.

Try to view the shun hosted list with:

show shun

Best regards,

0 Helpful

Go to solution
ampowell
Level 1
Level 1
In response to davcommunay

‎10-11-2011 12:08 PM

No.  The host is not shunned.

Does the ASA drop packets if it thinks there is a scanning threat?

Thanks,

Ann

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to ampowell

‎10-12-2011 08:40 AM

Hi Ann,

David is correct in that the ASA will only drop packets for a detected scanning threat if you have the 'threat-detection scanning-threat shun' command enabled. If this was the case, you would see a shun entry for the host. If you don't see that, the threat-detection feature is not dropping any packets.

To verify if the ASA is dropping packets for these connections, you can also setup a packet capture on the inside and outside interface of the firewall. If you see packets entering the firewall that never leave, that would indicate the firewall dropped them. More details on setting up a capture can be found here:

https://supportforums.cisco.com/docs/DOC-1222

Hope that helps.

-Mike

0 Helpful

Go to solution
ampowell
Level 1
Level 1
In response to mirober2

‎10-12-2011 12:19 PM

Thank you David and Mike.  I don't see shuns.  Scanning threat shun is not configured.  I will look further for the answer to the problem.

Ann

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card