Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Shunning help

I have read a few posts regarding shunning already.  I just don't feel like the ASA is shunning as much as I'd like it to.  In fact - it doesn't ever seem to shun anything unless I manually add it.

Running 8.3(2)13

My config looks like this:

Result of the command: "show run | include threat"

threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun duration 18000
threat-detection statistics host
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

I am just looking for feedback or tips on what I should do to improve on this and begin to actually shun scans, etc.  What are others seeing and what do those configs look like?

Thanks.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,You have to understand

Hi,

You have to understand that these values are actually the rate at which packets are dropped/denied on the ASA device due to policy check failures.

It will be different for every other network depending on the traffic passing through and different access/deny policies.

You can lower the values of these counters and check for which value you are seeing the correct SHUN behavior. This has to be done on hit and trial basis.

Thanks and Regards,

Vibhor Amrodia

6 REPLIES
Cisco Employee

Hi,You can actually fine tune

Hi,

You can actually fine tune the statistics on the ASA device.

You can check the default values using this command:-

show run all threat-detection

This would show you all the default counters values on the ASA device which ASA would use for shunning the IP on the ASA device.

Thanks and Regards,

Vibhor Amrodia

New Member

ok perfect.  That gives me

ok perfect.  That gives me this (I edited since previous post):

 show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun duration 18000
threat-detection statistics host number-of-rate 1
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

But I am wondering if these thresholds should/could be lower?  I see scanning in the logs that I would like to see shunned.  I know the firewall is working and blocking where appropriate, but I would like to shun these malicious IP address.

 

Cisco Employee

Hi,Yes , these values can be

Hi,

Yes , these values can be modified on the ASA device. The value depends on your requirement and your setup.

Thanks and Regards,

Vibhor Amrodia

New Member

Yes, that is what I am

Yes, that is what I am seeking help on.  I am looking for suggestions/tips on what to change these values to as these defaults are not effective enough.  Nothing is ever shunned unless I manually add an IP to shun.

Cisco Employee

Hi,You have to understand

Hi,

You have to understand that these values are actually the rate at which packets are dropped/denied on the ASA device due to policy check failures.

It will be different for every other network depending on the traffic passing through and different access/deny policies.

You can lower the values of these counters and check for which value you are seeing the correct SHUN behavior. This has to be done on hit and trial basis.

Thanks and Regards,

Vibhor Amrodia

New Member

Ok, I can accept that.  I was

Ok, I can accept that.  I was hoping for a working example but I see that may be useless to me anyway.

Thanks for your help Vibhor, it is much appreciated!

115
Views
5
Helpful
6
Replies
CreatePlease login to create content