15-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 15 Threat Detection
Detecting Threats
Basic Threat Detection Statistics
Using basic threat detection statistics, the ASA monitors the rate of dropped packets and security events
due to the following reasons:
•
Denial by ACLs.
•
Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length).
•
Connection limits exceeded (both system-wide resource limits, and limits set in the configuration).
•
DoS attack detected (such as an invalid SPI, Stateful Firewall check failure).
•
Basic firewall checks failed. This option is a combined rate that includes all firewall-related packet
drops in this list. It does not include non-firewall-related drops such as interface overload, packets
failed at application inspection, and scanning attack detected.
•
Suspicious ICMP packets detected.
•
Packets failed application inspection.
•
Interface overload.
•
Scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet
is not a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat
detection takes this scanning attack rate information and acts on it by classifying hosts as attackers
and automatically shunning them, for example.
•
Incomplete session detection such as TCP SYN attack detected or no data UDP session attack
detected.
When the ASA detects a threat, it immediately sends a system log message (733100). The ASA tracks
two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst
interval. The burst rate interval is 1/30th of the average rate interval or 10 seconds, whichever is higher.
For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded,
then the ASA sends two separate system messages, with a maximum of one message for each rate type
per burst period.
Basic threat detection affects performance only when there are drops or potential threats; even in this
scenario, the performance impact is insignificant.
Advanced Threat Detection Statistics
Advanced threat detection statistics show both allowed and dropped traffic rates for individual objects
such as hosts, ports, protocols, or ACLs.
Caution
Enabling advanced statistics can affect the ASA performance, depending on the type of statistics
enabled. The
threat-detection statistics host
command affects performance in a significant way; if you
have a high traffic load, you might consider enabling this type of statistics temporarily. The
threat-detection statistics port
command, however, has modest impact.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...