01-13-2012 10:44 AM - edited 03-11-2019 03:14 PM
I am very interested in tuning my ASA Threat-Detection configuration. I desire for the device to shun addresses quicker for ACL failures and IP scanning. Any advice would be most appreciated.
Solved! Go to Solution.
01-13-2012 12:26 PM
Hello,
So you will need to focus on this for the shunning purposes:
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
You are already using the minimunt amount of time for the scanning threat, so the only thing you can change is to try to use a lower burst-rate.
Rate if this helps.
Julio
01-13-2012 11:47 AM
Hello Scott,
As I have understood, If you want to be able to shun host based on threat-detection analisis you will need to use the scanning threat detection as the other two ( basic and advanced threat detection will only generate logs messages)
Configuration for the scanning:
- threat-detection scanning-threat
- threat-detection scanning-threat shun duration xxx ( How long the host will be shunned)
- threat-detection rate scanning-threat rate-interval 600 ( time where the ASA will inspect traffic looking for a scan or sweep) average-rate 30 ( times ASA encounter a scan or sweep) burst-rate 10 ( times per second the scan happen)
As I told you the following command will generate a log, just that, it will not shun the host.
- threat-detection rate acl-drop rate-interval 600 ( time where the ACL-Drop will be inspected) average-rate 30 ( Times ACL will drop the packet) burst ( denys per second) 10
Let me know if I was clear enough
Regards,
Julio
01-13-2012 11:54 AM
Hello Julio,
I have the following configuration and it does shun properly, i just want to tune it to shun faster.
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate syn-attack rate-interval 600 average-rate 20 burst-rate 30
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0
threat-detection scanning-threat shun duration 36000
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 threat-detection rate dos-drop
01-13-2012 12:26 PM
Hello,
So you will need to focus on this for the shunning purposes:
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
You are already using the minimunt amount of time for the scanning threat, so the only thing you can change is to try to use a lower burst-rate.
Rate if this helps.
Julio
01-13-2012 12:44 PM
That was it! Thanks Julio!
01-13-2012 12:50 PM
Hello Scott,
My pleasure,
Regards,
Julio
09-20-2012 02:35 PM
Is there a significant performance hit when using 'scanning threat detection' and the shun feature as opposed to using only 'basic threat detection'?
I have a pair of ASA 5520's with ~100 users with a fair amount of traffic. My CPU usage is between 10 and 30% on average. I've been advised by some security experts to turn on the feature but I'm afraid to overlad the ASA's.
Thanks.
09-20-2012 03:03 PM
Hello Blue,
It will increment a lot as all traffic will need to be deeply inspected. They will gather more information from all the statistics and they could even perform shunning but you can monitor how many CPU takes with the following command:
sh processes cpu-usage sorted non-zero
Any other question..Sure.. Just remember to rate all the helpful posts
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide