Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Threat-Detection Tuning - How do you tune yours?

I am very interested in tuning my ASA Threat-Detection configuration.  I desire for the device to shun addresses quicker for ACL failures and IP scanning.  Any advice would be most appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Threat-Detection Tuning - How do you tune yours?

Hello,

So you will need to focus on this for the shunning purposes:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

You are already using the minimunt amount of time for the scanning threat, so the only thing you can change is to try to use a lower burst-rate.

Rate if this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
7 REPLIES

Re: Threat-Detection Tuning - How do you tune yours?

Hello Scott,

As I have understood, If you want to be able to shun  host based on threat-detection analisis you will need to use the  scanning threat detection as the other two ( basic and advanced threat  detection will only generate logs messages)

Configuration for the scanning:

- threat-detection scanning-threat

- threat-detection scanning-threat shun duration xxx ( How long the host will be shunned)

- threat-detection rate scanning-threat rate-interval 600 ( time where the ASA will inspect traffic looking for a scan or sweep)  average-rate 30  ( times ASA encounter a scan or sweep) burst-rate 10 ( times per second the scan happen)

As I told you the following command will generate a log, just that, it will not shun the host.

- threat-detection rate acl-drop rate-interval 600 ( time where  the ACL-Drop will be inspected) average-rate 30 ( Times ACL will drop  the packet) burst ( denys per second) 10

Let me know if I was clear enough

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Threat-Detection Tuning - How do you tune yours?

Hello Julio,

I have the following configuration and it does shun properly, i just want to tune it to shun faster.

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800

threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640

threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160

threat-detection rate syn-attack rate-interval 600 average-rate 20 burst-rate 30

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0

threat-detection scanning-threat shun duration 36000

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 threat-detection rate dos-drop

Threat-Detection Tuning - How do you tune yours?

Hello,

So you will need to focus on this for the shunning purposes:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

You are already using the minimunt amount of time for the scanning threat, so the only thing you can change is to try to use a lower burst-rate.

Rate if this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Threat-Detection Tuning - How do you tune yours?

That was it!  Thanks Julio!

Threat-Detection Tuning - How do you tune yours?

Hello Scott,

My pleasure,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Threat-Detection Tuning - How do you tune yours?

Is there a significant performance hit when using 'scanning threat detection' and the shun feature as opposed to using only 'basic threat detection'?

I have a pair of ASA 5520's with ~100 users with a fair amount of traffic. My CPU usage is between 10 and 30% on average. I've been advised by some security experts to turn on the feature but I'm afraid to overlad the ASA's.

Thanks.

Threat-Detection Tuning - How do you tune yours?

Hello Blue,

It will increment a lot as all traffic will need to be deeply inspected. They will gather more information from all the statistics and they could even perform shunning but you can monitor how many CPU takes with the following command:

sh processes cpu-usage sorted non-zero

Any other question..Sure.. Just remember to rate all the helpful posts


Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
2155
Views
20
Helpful
7
Replies
CreatePlease to create content