18-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 Threat Detection
Monitoring Threat Detection
If you already configured this command as part of the basic threat detection configuration, then those
settings are shared with the scanning threat detection feature; you cannot configure separate rates for
basic and scanning threat detection. If you do not set the rates using this command, the default values
are used for both the scanning threat detection feature and the basic threat detection feature. You can
configure up to three different rate intervals, by entering separate commands.
Monitoring Threat Detection
The following topics explain how to monitor threat detection and view traffic statistics.
•
Monitoring Basic Threat Detection Statistics, page 18-8
•
Monitoring Advanced Threat Detection Statistics, page 18-9
•
Evaluating Host Threat Detection Statistics, page 18-10
•
Monitoring Shunned Hosts, Attackers, and Targets, page 18-12
Monitoring Basic Threat Detection Statistics
To display basic threat detection statistics, use the following command:
show
threat-detection rate
[
min-display-rate
min_display_rate
]
[
acl-drop
|
bad-packet-drop
|
conn-limit-drop
|
dos-drop
|
fw-drop
|
icmp-drop
|
inspect-drop
|
interface-drop
|
scanning-threat
|
syn-attack
]
The
min-display-rate
min_display_rate
argument limits the display to statistics that exceed the
minimum display rate in events per second. You can set the
min_display_rate
between 0 and
2147483647.
The other arguments let you limit the display to specific categories. For a description of each event type,
see
Basic Threat Detection Statistics, page 18-2
The output shows the average rate in events/sec over two fixed time periods: the last 10 minutes and the
last 1 hour. It also shows: the current burst rate in events/sec over the last completed burst interval, which
is 1/30th of the average rate interval or 10 seconds, whichever is larger; the number of times the rates
were exceeded (triggered); and the total number of events over the time periods.
The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The
unfinished burst interval presently occurring is not included in the average rate. For example, if the
average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was
from 3:00:00 to 3:00:20, and you use the
show
command at 3:00:25, then the last 5 seconds are not
included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds
the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case,
the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the
unfinished burst interval. This exception lets you monitor a large increase in events in real time.
You can clear statistics using the
clear threat-detection rate
command.
The following is sample output from the
show threat-detection rate
command:
hostname#
show threat-detection rate
Average(eps) Current(eps) Trigger Total events
10-min ACL drop: 0 0 0 16
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...