Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
0
Helpful
5
Replies

Shun packet fine tune

Machi Ma
Level 1
Level 1

‎03-10-2015 02:18 AM - edited ‎03-11-2019 10:37 PM

Hello,

There are many log related to following

"%ASA-4-401004: Shunned packet: IP_src ==> IP_dest"

I would like to know more details which threat detection rule was hit? It will useful for me to adjust its Treat Dedication  setting.

Since "show threat-detection scanning-threat" or "show threat-detection rate" is only show the global summaries only

Taanks!

Labels:
0 Helpful
5 Replies 5

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎03-10-2015 07:18 AM

Hi,

You should be havong scanning threat detecion enabled to get the packets shunned on the ASA device.

threat-detection scanning-threat shun

Now , if you want to change the threshold values for the Threat Detection , you can do that but it would be very tedious and you can see the default using this command:-

sh run all threat-detection

Also , it has to be modified usoing this command:-

threat-detection rate scanning-threat

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Machi Ma
Level 1
Level 1
In response to Vibhor Amrodia

‎03-10-2015 08:00 PM

Hello,

 

Thanks, but how it can more efficient to check which threat-detection rate value is reach threshold?

 

Example again the syslog keep to see "%ASA-4-401004: Shunned packet: IP_src ==> IP_dest"

 

But no idea which value I can adjust.

One idea is keep to run

> show threat-detection rate

to see which value is raise up faster and then adjust it.  But looks not efficient

 

Thanks!

 

 

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎03-11-2015 05:01 AM

Hi,

I agree but this is the only way to modify the value and see which suits your network traffic the best. This is a reactive approach on this feature.

For this reason , we have the feature of exception for specific Addresses from preventing them from getting exempted.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Machi Ma
Level 1
Level 1
In response to Vibhor Amrodia

‎03-11-2015 06:43 AM

Hi,

You means using like following?

> threat-detection scanning-threat shun except ip-address IP_address netmask? 

or others?

Thanks!

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎03-11-2015 06:47 AM

Hi,

Yes , if you see some of your important or high traffic devices/host , we might need an exception.

The above way is how you can create an exception for the specific IP addresses.

Reference:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/t1.html#pgfId-1563523

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card