Cisco ASA Series 7: Scanning Threat Detection

Cisco ASA Series 7: Scanning Threat Detection 

The Cisco ASA security appliance combines a firewall, antivirus software, intrusion detection, and a virtual private network (VPN). It enables proactive threat defense, stopping assaults from spreading over the network.

Fig 1.1- Scanning Threat Detection 

⭐Check out the basic Threat Detection discussion in our first part
Cisco ASA Series 5: Configuring Threat Detection
Cisco ASA Series 6: Configuring Threat Detection-Advanced

⭐ Cisco ASA's Scanning Threat Detection 🔐

The only one that can actively prevent (shun) attackers attempting to scan the network covered by the ASA is Scanning Threat Detection. In contrast to IPS scan detection, which is based on traffic signatures, the ASA scanning threat detection capability keeps a large database of host information that may be analyzed for scanning activities. If the scanning threat rate is exceeded, the ASA emits a syslog message (733101) and, if appropriate, shuns the attacker. If a shun is set, the ASA transmits syslog message 733102 to inform that an attacker has been banned.

The Scanning Threat Detection capability has the potential to significantly impair ASA performance. Scanning threat detection affects just traffic permitted to flow through the ASA. The Scanning Threat method does not identify traffic that is disallowed by an ACL. 

⭐ CLI Command configuration 📜

Use the command "threat-detection scanning-threat" to configure Scanning Threat Detection. Here is the example as shown below 

NDNA_CiscoASA(config)# threat-detection scanning-threat { shun [duration|except] }
NDNA_CiscoASA(config)# threat-detection scanning-threat shun duration 3600
NDNA_CiscoASA(config)# threat-detection scanning-threat shun except ip-address 10.10.10.1 255.255.255.0
NDNA_CiscoASA(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20

Status Checks

NDNA_CiscoASA(config)#show threat-detection shun
NDNA_CiscoASA(config)#clear threat-detection shun 80.11.10.1
NDNA_CiscoASA(config)#show threat-detection scanning-threat attacker

Continue Reading...

• Security: Cisco ASA Vs Cisco FTD - The Network DNA
• Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router
• Cisco Security: Cisco ASA 5505 Interfaces configuration for Access Ports
• Cisco Security: Cisco ASA 5505 Interfaces configuration for Trunk Port
• Cisco ASA Series 1: Restoring the ASA to Factory Default Configuration
• Cisco ASA Series 2: Configuring NAT
• Cisco ASA Series 3: Easy VPN Remote
• Cisco ASA Series 4: Configuring VLANs and Sub interfaces
• Cisco ASA Series 5: Configuring Threat Detection
• Site to Site IPSec VPN Tunnel between Cisco ASA and Palo Alto Firewalls

More on Cisco ASA...

• Cisco: ASDM (Adaptive Security Device Manager) Vs FMC
• Part 3 Basics: Cisco ASA Commands
• Part 2 Basics: Cisco ASA Commands
• Part 1 Basics: Cisco ASA Commands
• Introduction to Cisco ASA Zone-Based Firewall