1-13
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Threat Detection
  Configuring Advanced Threat Detection Statistics
fw-drop Shows the number of firewall drops. Firewall drops is a combined rate that 
includes all firewall-related packet drops tracked in basic threat detection, 
including access list denials, bad packets, exceeded connection limits, DoS 
attack packets, suspicious ICMP packets, TCP SYN attack packets, and no 
data UDP attack packets. It does not include non-firewall-related drops such 
as interface overload, packets failed at application inspection, and scanning 
attack detected.
insp-drop Shows the number of packets dropped because they failed application 
inspection.
null-ses Shows the number of null sessions, which are TCP SYN sessions that did not 
complete within the 3-second timeout, and UDP sessions that did not have any 
data sent by its server 3 seconds after the session starts.
bad-acc Shows the number of bad access attempts to host ports that are in a closed 
state. When a port is determined to be in a null session (see the null-ses field 
description), the port state of the host is set to HOST_PORT_CLOSE. Any 
client accessing the port of the host is immediately classified as a bad access 
without the need to wait for a timeout.
Average(eps) Shows the average rate in events/sec over each time period.
The ASA stores the count at the end of each burst period, for a total of 30 
completed burst intervals. The unfinished burst interval presently occurring is 
not included in the average rate. For example, if the average rate interval is 20 
minutes, then the burst interval is 20 seconds. If the last burst interval was 
from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the 
last 5 seconds are not included in the output.
The only exception to this rule is if the number of events in the unfinished 
burst interval already exceeds the number of events in the oldest burst interval 
(#1 of 30) when calculating the total events. In that case, the ASA calculates 
the total events as the last 29 complete intervals, plus the events so far in the 
unfinished burst interval. This exception lets you monitor a large increase in 
events in real time.
Current(eps) Shows the current burst rate in events/sec over the last completed burst 
interval, which is 1/30th of the average rate interval or 10 seconds, whichever 
is larger. For the example specified in the Average(eps) description, the 
current rate is the rate from 3:19:30 to 3:20:00
Trigger Shows the number of times the dropped packet rate limits were exceeded. For 
valid traffic identified in the sent and received bytes and packets rows, this 
value is always 0, because there are no rate limits to trigger for valid traffic.
Total events Shows the total number of events over each rate interval. The unfinished burst 
interval presently occurring is not included in the total events. The only 
exception to this rule is if the number of events in the unfinished burst interval 
already exceeds the number of events in the oldest burst interval (#1 of 30) 
when calculating the total events. In that case, the ASA calculates the total 
events as the last 29 complete intervals, plus the events so far in the unfinished 
burst interval. This exception lets you monitor a large increase in events in real 
time.
Table 1-3 show threat-detection statistics host Command Fields (continued)
Field Description