Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

What is the default action of CSA?

Hi all,

I am a newcomer for CSA. I have a few questions as following. Could you please clarify it for me?

1. If all rules do not match the event, what action will it take place? Allow or Deny?

2. If the first answer is allow, how can it protect the system for the zero day attack?

Thanks so much,

Nitass

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: What is the default action of CSA?

Nitass,

You are right that if no rules are triggered, CSA does not interfere with the application. But to answer the second half of your original question, CSA protects against zero day attacks by monitoring behavior, rather than signatures. In other words, it doesn't matter what the attack code looks like, it matters what it does. For example, if you get attacked by a new virus, you may not have a signature for your anti virus software to detect it. But if it tries to install a copy on your computer, or attempts to install a rootkit, or opens a port for listening, or scans for other vulnerable hosts, CSA will detect those actions and block them.

7 REPLIES
Silver

Re: What is the default action of CSA?

In case you have selected BOX "TAKE PRECEDENCE OVER OTHER DENY RULES "

Than it will be Deny. Other wise it will act accordingly rules.

See figure 2-12 on URL:http://www.cisco.com/en/US/docs/security/csa/csa51/user_guide/Chap2.html

Regards,

Dharmesh Purohit

Community Member

Re: What is the default action of CSA?

Thanks for your reply. Could you please explain me more?

My question is when event (from agent) does not match all rules that I configured for that group, what happen would it take? Is it allow or deny?

Thanks again,

Nitass

Blue

Re: What is the default action of CSA?

Can you provide an example of one of these events?

If there is an event reported by an agent, it is usually associated with a rule that is set to log.

Tom

Community Member

Re: What is the default action of CSA?

Thanks Tom. I just imaged it.

I just want to know in case of the rules could not cover all the events, what action would it take? Is it allow or deny those events?

Thanks so much,

Nitass

Community Member

Re: What is the default action of CSA?

That's Ok. I just found that the implicit action is allow.

Thanks again,

Nitass

Community Member

Re: What is the default action of CSA?

Nitass,

You are right that if no rules are triggered, CSA does not interfere with the application. But to answer the second half of your original question, CSA protects against zero day attacks by monitoring behavior, rather than signatures. In other words, it doesn't matter what the attack code looks like, it matters what it does. For example, if you get attacked by a new virus, you may not have a signature for your anti virus software to detect it. But if it tries to install a copy on your computer, or attempts to install a rootkit, or opens a port for listening, or scans for other vulnerable hosts, CSA will detect those actions and block them.

Community Member

Re: What is the default action of CSA?

Many thanks. It is exactly what I am looking for.

Thanks again,

Nitass

242
Views
4
Helpful
7
Replies
CreatePlease to create content