- ASA Threat Detection Feature Overview
- Threat Detection Default Settings
- ASA Threat Detection Configuration
- Scanning Threat Detection Configuration
ASA Threat Detection Configuration
As stated previously, basic threat detection is enabled by default and thus requires no additional configuration. However, it is possible to change the default rate settings. The process to alter these settings is shown in Table 3.
Table 3: Basic ASA Threat Detection Default Rate Configuration
1 |
Enter privileged EXEC mode. |
asa>enable |
2 |
Enter global configuration mode. |
asa#configure terminal |
3 |
Configure Basic Threat Detection. Note: This is needed only if it was manually disabled before because it is enabled by default. |
asa(config)#threat-detection basic-threat |
4 |
Alter the default threat detection settings (optional). Note: The rate-interval, average-rate, and burst-rate parameters are entered in seconds. Up to three different rate intervals can be configured for each event type. |
asa(config)#threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack} rate-interval rate-interval average-rate average-rate burst-rate burst-rate |
On top of basic threat detection, advanced threat detection can be enabled. Be very careful when configuring advanced threat detection because it can quickly affect the performance of the appliance.
There are a couple of different commands that can be used to configure advanced threat detection. When enabled globally, advanced ACL statistics are automatically enabled. The process to enable and configure advanced threat detection is shown in Table 4.
Table 4: Advanced ASA Threat Detection Configuration
1 |
Enter privileged EXEC mode. |
asa>enable |
2 |
Enter global configuration mode. |
asa#configure terminal |
3 |
Enable advanced threat detection. |
asa(config)#threat-detection statistics |
4 |
Enable advanced ACL statistics. Note: This is needed only if it was manually disabled before as it is enabled by default. |
asa(config)#threat-detection statistics access-list |
|
OR |
|
4 |
Enable advanced host, port, or protocol statistics. By default, the rate interval parameter (number-of-rate) is set to 1. This is the lowest memory use setting; use the higher settings for lower statistical rate intervals. |
asa(config)#threat-detection statistics {host | port | protocol} [number-of-rate {1 | 2 | 3}] |
|
OR |
|
4 |
Enable advanced statistics for attacks intercepted by TCP Intercept. Note: The specifics of TCP Intercept are not covered in this article. This command is shown to be complete. |
asa(config)#threat-detection statistics tcp-intercept [rate-interval minutes] [burst-rate attacks-per-second] [average-rate attacks-per-second] |
There are a number of different threat detection display commands that exist. To keep the size of this article from getting too large, the specifics of these commands are omitted. However, the stem for all of them is show threat-detection with the rate parameter (show threat-detection rate) being used to display basic threat detection information and the statistics parameter being used to display advanced threat detection information.