have had scanning threat enabled for years. New assistant typed "no shun" instead of "clear shun" and now the "show shun" doesn't show anything. Usually have about 100 in a matter of minutes. Have turned on and off via GUI and verified the config via CLI. Attached is screenshot and below is config. Any help appreciated.
The shun command is used independently of threat-detection.
shuns, when entered manually, are ephemeral and not saved in running-config. So if your shun list has been cleared out, that just means that the ephemeral shun list has been cleared. You would see the same behavior if you rebooted your device.
Typically, the way I understand it, shun was designed to be used in this fashion:
You are seeing malicious traffic from a source IP, let's say 220.127.116.11. I would normally add this IP to a blacklist, deny ACL on my edge, ingress ACL. However adding the IP to the ACL will not stop any EXISTING sessions previously made by the bad actor. So in addition to the blacklist, we issue a shun, which clears the tcp connection tables and the NAT translation tables for the offending IP address at 18.104.22.168. This way, any previously successful connections by 22.214.171.124 are immediately dropped by the shun. If there were a reboot of the box, even though shun has been cleared, the bad actor at 126.96.36.199 would still not be able to initiate any new connections because our ACL black-list would prevent any new connections.
I appreciate your explanation. However, I could type "show shun" and it would give me a list of all IP's that are currently being shunned. I type that in now, and there is no list. Tells me nothing is being shunned. I usually get over 100 on the list within the first couple minutes after doing a clear shun command.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 188.8.131.52Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 184.108.40.206R1(config-ikev2-keyring-pee...