I have a question about the function of Basic Threat Detection on ASA 8.0.
I understand the function of mitigating/preventing network attacks/threats supported by ASA are as follows,
1: Packet Filtering (ACL)
2: Stateful Inspection
3: Application Inspection
4: Basic Threat Detection
I think the Basic Threat Detection just performs to gather and monitor the number of dropped packets due to potential attacks and sends syslog message (730100/730101) if the specified object exceeds the specified burst/average threshold rate.
I mean that Basic Threat Detection does NOT perform appropriate action(s) against potential attacks, such as dropping packets, sends TCP RST and so on like Packet Filtering, Stateful Inspection and Application Inspection to mitigate/prevent from network potential attacks.
Is my understating correct?
Your information would be appreciated.
Yes, you are right!
Basic threat detection does not take any direct action over the traffic.
There are levels of drops that are acceptaple. What this feature does is monitor the drops rate and if any of them reaches levels that would indicate a threat, it sends a syslog to warn that something is looking like an attack.
Hope this answers your question.