Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

threat-detection & scanning-threat

First off, I see the ASA comes with a set of default threat-detection rules...Are these acceptable numbers for most? Or, is it best to modify them?

I'm doing some testing with a single external host running all kinds of port scans and sweeps filling the syslogs with 106023 messages:

%PIX-4-106023: Deny tcp src outside:xxx.xxx.xxx.xxx/25363 dst outside:xxx.xxx.xxx.xxx/5909 by access-group "outside_acl" [0x0, 0x0]

When I run these scans, I'm seeing about 100 drops per-second. What I don't understand is, why doesn't the ASA identify the external host as an attacker? And, add them to a shun list?

I've modified the default threat-detection rules but I can't for the life of me get the asa to identify anything as an attacker (other than one internal host once). Is this because the asa is already denying the packets and it's irrelevant whether it's an attacker or not?

1 REPLY
Silver

Re: threat-detection & scanning-threat

The default threat detection rules are good for any user and a few of them may require modification depending on the design and usage of the network. The ASA is not identifying the machine as a threat because it is coming from trusted subnet. Try the same from an untrusted subnet and check the ASA response.

184
Views
0
Helpful
1
Replies
CreatePlease to create content