Cisco ASA Series 6: Configuring Threat Detection-Advanced

Cisco ASA Series 6: Configuring Threat Detection-Advanced

Cisco ASA is a security appliance that incorporates a firewall, antivirus software, intrusion detection, and a virtual private network (VPN). It allows for proactive threat defense, preventing attacks from propagating over the network.

Configuring Threat Detection-Advanced
Fig 1.1- Configuring Threat Detection-Advanced

⭐Check out the basic Threat Detection discussion in our first part
Cisco ASA Series 5: Configuring Threat Detection

⭐ Cisco ASA's Advanced Threat Detection 🔐

For specific objects like hosts, ports, protocols, or ACLs, advanced threat detection statistics display both allowed and dropped traffic rates. As such, it provides a finer level of control over threat monitoring. Only ACL statistics are used by default when enabling Advanced Threat Detection.

The device's performance may be impacted by the kind of statistics that are enabled. The host command for threat-detection statistics has a notable impact on performance; if your traffic load is heavy, you may want to temporarily enable this kind of data. However, there is not much of an influence from the "threat-detection statistics port" command. 

Threat Detection records the quantity of packets, bytes, and drops that each host, port, and protocol object sends and receives during a certain time interval. Threat Detection monitors the top 10 ACEs (permit and deny) that experienced the greatest number of hits in a certain amount of time.

Advanced Threat Detection is just informative, much as Basic Threat Detection. The statistics from Advanced Threat Detection are used to determine whether or not to restrict traffic.

⭐ CLI Command configuration 📜

"Threat-detection statistics" is the command to use in order to configure Advanced Threat Detection. The command activates tracking for all statistics in the absence of a specified feature term. 

NDNA_CiscoASA(config)# threat-detection statistics { access-list|host|port|protocol|tcp-intercept}
  • Access-list: Activates ACL statistics (activated by default).
  • Host number-of-rate {1|2|3}: Allow statistics to be collected for the host with the given number-of-rate interval. The number of rate intervals that host statistics are preserved at is determined by the number-of-rate keyword. Because there are one rate interval by default, there is less memory use. Put the number to two or three to see additional rate intervals. For instance, you may display data for the last one, eight, and twenty-four hours if you set the value to 3. Only the data for the smallest rate interval are kept if you set this keyword to 1, which is the default. NOTICE: The "host" monitoring might impact how well ASA performs.
  • Port number-of-rate {1|2|3}: Allow TCP and UDP port statistics. Refer to the description above for the term "number-of-rate."
  • Enable statistics for IP protocols other than TCP/UDP with protocol number-of-rate {1|2|3}.
  • tcp-intercept: Enables statistics for TCP intercepted assaults. 

Example commands as shown below

NDNA_CiscoASA(config)# show threat-detection statistics top access-list
NDNA_CiscoASA(config)# show threat-detection rate acl-drop
NDNA_CiscoASA(config)# show threat-detection statistics host

Continue Reading...

More on Cisco ASA...