51-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 51 Configuring Threat Detection
Configuring Basic Threat Detection Statistics
• Configuring Basic Threat Detection Statistics, page 51-4
• Monitoring Basic Threat Detection Statistics, page 51-4
• Feature History for Basic Threat Detection Statistics, page 51-4
Information About Basic Threat Detection Statistics
Using basic threat detection statistics, the adaptive security appliance monitors the rate of dropped
packets and security events due to the following reasons:
• Denial by access lists
• Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)
• Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)
• DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)
• Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet
drops in this bulleted list. It does not include non-firewall-related drops such as interface overload,
packets failed at application inspection, and scanning attack detected.)
• Suspicious ICMP packets detected
• Packets failed application inspection
• Interface overload
• Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet
is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat
detection (see the “Configuring Scanning Threat Detection” section on page 51-8) takes this
scanning attack rate information and acts on it by classifying hosts as attackers and automatically
shunning them, for example.)
• Incomplete session detection such as TCP SYN attack detected or no data UDP session attack
detected
When the adaptive security appliance detects a threat, it immediately sends a system log message
(730100). The adaptive security appliance tracks two types of rates: the average event rate over an
interval, and the burst event rate over a shorter burst interval. The burst rate interval is 1/30th of the
average rate interval or 10 seconds, whichever is higher. For each received event, the adaptive security
appliance checks the average and burst rate limits; if both rates are exceeded, then the adaptive security
appliance sends two separate system messages, with a maximum of one message for each rate type per
burst period.
Basic threat detection affects performance only when there are drops or potential threats; even in this
scenario, the performance impact is insignificant.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Security Context Guidelines
Supported in single mode only. Multiple mode is not supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
To Next Page
Loading...
Need help?
General
