50-10
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 50 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
What to Do Next
See the “Enabling Traffic Classification and Actions for the Botnet Traffic Filter” section on page 50-10.
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
This procedure enables the Botnet Traffic Filter. The Botnet Traffic Filter compares the source and
destination IP address in each initial connection packet to the following:
• Dynamic database IP addresses
• Static database IP addresses
• DNS reverse lookup cache (for dynamic database domain names)
• DNS host cache (for static database domain names)
When an address matches, the adaptive security appliance sends a syslog message. The only additional
action currently available is to drop the connection.
Prerequisites
In multiple context mode, perform this procedure in the context execution space.
Recommended Configuration
Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use
of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 50-9). Without DNS
snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus
any IP addresses in the dynamic database; domain names in the dynamic database are not used.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and
enabling dropping of traffic with a severity of moderate and higher.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Botnet Traffic Filter > Traffic Settings pane.
Step 2 To enable the Botnet Traffic Filter on specified traffic, perform the following steps:
a. In the Traffic Classification area, check the Traffic Classified check box for each interface on which
you want to enable the Botnet Traffic Filter.
You can configure a global classification that applies to all interfaces by checking the Traffic
Classified check box for Global (All Interfaces). If you configure an interface-specific
classification, the settings for that interface overrides the global setting.
b. For each interface, from the ACL Used drop-down list choose either --ALL TRAFFIC-- (the
default), or any access list configured on the adaptive security appliance.
For example, you might want to monitor all port 80 traffic on the outside interface.
To add or edit access lists, click Manage ACL to bring up the ACL Manager. See the Chapter 15,
“Using the ACL Manager,” for more information.
Step 3 (Optional) To treat greylisted traffic as blacklisted traffic for action purposes, in the Ambiguous Traffic
Handling area, check the Treat ambiguous (greylisted) traffic as malicious (blacklisted) traffic check
box.
To Next Page
Loading...
Need help?
General
