Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to configure FWSM to prevent malicious scanning

Recently there have been some malicious attempts in scanning our corporate network to detect vulnerabilities (open ports) for attack and while the ACL was doing its job of blocking them off the level and intensity of scanning actually caused a hiccup in the FWSM. I was looking at configuring a policy and class map to put in measures to prevent SYN Floood or IP spoofying to setting connections limits as follows:

class-map network_moat
 match access-list network_moat

access-list network_moat remark Monitors Session connections
access-list network_moat permit ip any object-group colo_address_space

object-group network colo_address_space
 network-object x.x.x.x 

policy-map network_moat
 class network_moat
  set connection timeout embryonic 0:00:05 
  set connection timeout half-closed 0:01:00 
  set connection timeout idle 0:30:00

 service-policy network_moat interface outside

ip verify reverse-path interface outside


But without having a maximum number of connection (simultaneous TCP or UDP connections) or having a conn-rate-limit to control the number of TCP or UDP connections per sec I don't know if I can stop those scanning again. Please advise on how I should set a good maximum number of connections or setting a connection rate limit to prevent scanning. Thanks.

CreatePlease to create content