An ASA can be configured to operate in transparent firewall mode, such that it appears to operate as a Layer 2 device, without becoming a router hop or a gateway to its connected networks. This is also knwon as a Layer 2 firewall or a stealth firewall, because the ASA's interfaces have no assigned IP addresses and cannot be detected or manipulated. Only a single management address is used for traffic sourced by the transparent firewall itself or destined for a management session.
As a Layer 2 device, an ASA in transparent firewall mode can be installed or wedged into an existing network, separating the inside and outside without changing any IP address. This is commonly called a "bump-in-the-wire" because the ASA doesn't break or segment the IP subnet along a wire but instead more or less becomes part of the wire. This makes a new installation straigthforward.
You can also think of a transparent mode firewall as a type of transparent bridge, where packets are bridged from one interface to another based only on their MAC addresses. The ASA must maintain a MAC address table of the source address learned in each received packet, along with the interface on which the packet arrived. Once a MAC address has been learned, the ASA is able to forward a packet to that address by knowing the location or the egress interface where that same address has been active before.
Comparison of the Routed and Transparent Firewall Modes
Routed Firewall Mode
* Use only when IP packets are to be inspected.
* Network readdressing is necessary across the ASA.
* All interfaces can be used.
* All ASA interfaces are available.
Transparent Firewall Mode
* Use when non-IP packets must be forwarded.
* Network readdressing is not necessary.
* Only 2-4 interfaces can be used per bridge group.
* The following features are not available:
- Dynamic routing protocols
- Dynamic DNS
- DHCP Relay
- Multicast IP routing
- Quality of service
- VPN termination for transit traffic
Configuring Transparent Firewall Mode
Before you begin configuring transparent firewall mode, you should verify which mode is currently in use. You can do that with the show firewall EXEC command. The ASA runs in default routed (or "router") mode.
ciscoasa# show firewall
Firewall mode: Router
You can enable transparent firewall mode with the following command:
ciscoasa(config)# firewall ?
configure mode commands/options:
transparent Switch to transparent mode
ciscoasa(config)# firewall transparent
ERROR: Password recovery was not changed, unable to access
the configuration register.
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Transparent firewall mode begins immediately and doesn't require a reload; however, because transparent and routed firewall modes uses different approaches to network security, the running configuration will be cleared as soon as transparent mode begins. The idea is to enter transparent firewall mode and build an appropriate configuration from scratch.
For that reason, you should save the routed firewall mode running configuration to flash memory or to an external server before enabling transparent firewall mdoe. That way, you will have a copy of the configuration in case you need to revert to routed firewall mode or refer to some portion of that configuration. Because the configuration is cleared, ASDM does not offer any way to change the firewall mode.
Next, you will need to set aside ASA interfaces and configure them for transparent firewall use. For ASA release 8.4(1) or later, you can configure up to four interfaces as part of a bridge group. With earlier releases, you must use exactly two interfaces - one interface will face the "outside," less secure part of the network, while the other will face the "inside," more secure area.
Configure the interfaces exactly as you would with routed firewall mode, with the exception of any IP addresses, by supplying the following parameters:
* Interface speed and duplex mode
* Interface name
* Security level
* Bridge group number (ASA release 8.4(1) and later)
In ASDM, navigate to Configuration > Device Setup > Interfaces, select an interface, and click Edit.
If you choose to configure interfaces with the CLI instead, you can use the nameif, security-level, and bridge-group interface configuration commands.
ciscoasa(config)# interface gigabitethernet0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# bridge-group ?
interface mode commands/options:
<1-100> Group number of this interface
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet1
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shutdown
Next, assign a single IP address to each bridge group as a whole. This address will be used for management traffic, such as Telnet, SSH, HTTP, SNMP, syslog, TFTP, FTP, and so on. If you configure the ASA for multiple context mode, you should configure one IP address for each bridge group on each security context, including the admin context. From the interface list in ASDM, select Add and choose Bridge Virtual Interface (BVI).
ciscoasa(config-if)# interface ?
configure mode commands/options:
BVI Bridge-Group Virtual Interface
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel Ethernet Channel of interfaces
Redundant Redundant Interface
<cr>
ciscoasa(config-if)# interface bvi ?
configure mode commands/options:
<1-100> BVI interface number
ciscoasa(config-if)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
Saturday, November 23, 2013
Saturday, November 9, 2013
Detecting and Filtering Botnet Traffic on an ASA
In a botnet attack, hosts on the private side of an ASA becomes infected with malware. Each of the infected hosts tries to contact a botnet control server located somewhere on the public Internet to receive further instructions. The control server is then able to remotely control many infected hosts and align them in a coordinated attack against other resources.
Because the infected hosts are located on a secure side of the ASA, they are likely to be free to open outbound connections just like any other protected host. You can leverage the Cisco ASA Botnet Traffic Filter feature to detect botnet activity and prevent infected hosts from contacting their control servers.
When the Botnet Traffic Filter is enabled, an ASA maintains two reputation databases:
* A dynamic SensorBase database that is downloaded periodically from Cisco, which contains information about known botnet control servers.
* A static database that you can populate, which can contain a "whitelist" of known good IP addresses and domain names or a "blacklist" of known bad servers.
The Botnet Traffic Filter feature is dependent upon four things:
* A Botnet Traffic Filter license purchased from Cisco and installed on the ASA
* A DNS server, which the ASA uses to lookup names and addresses in the static database
* Botnet Traffic Filter DNS snooping, which enables the ASA to intercept DNS queries from infected hosts and match against hostnames it finds in the databases
* Live connectivity to the Internet, so that the Botnet Traffic Filter feature can communicate with Cisco
Before you begin configuring Botnet Traffic Filtering, verify that the feature license has been enabled. You can use the show version command to see a list of ASA features and their license status. Make sure Botnet Traffic Filter is listed as Enabled
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 11 mins 39 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.cd92.5200, irq 0
1: Ext: GigabitEthernet1 : address is 0000.abf1.d701, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab9a.0e02, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab64.2f03, irq 0
4: Ext: GigabitEthernet4 : address is 0000.ab84.7804, irq 0
5: Ext: GigabitEthernet5 : address is 0000.abfa.5105, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Use the following steps to configure botnet traffic filtering:
Step 1: Configure the dynamic database.
Step 2: Configure the static database.
Step 3: Enable DNS snooping.
Step 4: Enable the Botnet Traffic Filter.
ciscoasa(config)# dynamic-filter ?
configure mode commands/options:
ambiguous-is-black Handle (ambiguous) greylist matched traffic as blacklist
for Dynamic Filter drop
blacklist Configure Dynamic Filter blacklist
drop Enable traffic drop based on Dynamic Filter traffic
classification
enable Enable Dynamic Filter classification
updater-client Configure Dynamic Filter updater client
use-database Use Dynamic Filter data downloaded from updater-server
whitelist Configure Dynamic Filter whitelist
exec mode commands/options:
database Dynamic Filter data commands
ciscoasa(config)# dynamic-filter updater-client ?
configure mode commands/options:
enable Enable Dynamic Filter updater client
ciscoasa(config)# dynamic-filter updater-client enable
WARNING: Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured // CISCO'S DYNAMIC DATABASE UPDATE
ciscoasa(config)# dynamic-filter use-database
ciscoasa(config)# dns ? // CONFIGURE DNS AS PER ERROR GIVEN
configure mode commands/options:
domain-lookup Enable/Disable DNS host-to-address translation
expire-entry-timer Specify DNS entry expire timer
name-server Specify DNS servers
poll-timer Specify dns update interval
retries Configure DNS retries
server-group Configure a DNS server group
timeout Configure DNS query timeout
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns server-group MY-DNS-GROUP
ciscoasa(config-dns-server-group)# ?
DNS server group commands:
domain-name Domain name to append to DNS queries for this server group
name-server Specify DNS servers
no Remove a server-group command or set to its default
retries DNS retries
timeout DNS query timeout
ciscoasa(config-dns-server-group)# name-server 4.2.2.2
ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# ?
Dynamic Filter list configuration
address Add IP address to local list
name Add domain name to local list
no Negate a command
ciscoasa(config-llist)# name ?
dynamic-filter-list mode commands/options:
WORD < 256 char Enter domain name
configure mode commands/options:
A.B.C.D The IPv4 address of the host/network being named
X:X:X:X::X The IPv6 address of the host/network being named
ciscoasa(config-llist)# name www.badsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# dynamic-filter whitelist
ciscoasa(config-llist)# name www.goodsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# policy-map ?
configure mode commands/options:
type Specifies the type of policy-map
Policy-map names:
global_policy
WORD < 41 char New policy-map name
ciscoasa(config-pmap)# policy-map global_policy
ciscoasa(config-pmap)# class ?
mpf-policy-map mode commands/options:
WORD class-map name
class-default System default class matching otherwise unclassified packets
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
ciscoasa(config-pmap-c)# inspect dns ?
mpf-policy-map-class mode commands/options:
WORD < 41 char Optional DNS type policy-map name
dynamic-filter-snoop Enable DNS snooping for Dynamic Filter
<cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map ?
mpf-policy-map-class mode commands/options:
dynamic-filter-snoop Enable DNS snooping for Dynamic Filter
<cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# dynamic-filter enable ?
configure mode commands/options:
classify-list Set the access-list for classification
interface Enable classification on an interface
<cr>
ciscoasa(config)# dynamic-filter enable interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter enable interface outside?
configure mode commands/options:
classify-list Set the access-list for classification
<cr>
ciscoasa(config)# dynamic-filter enable interface outside classify-list ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# dynamic-filter enable interface outside classify-list BOTNET_ACL
ciscoasa(config)# dynamic-filter drop ?
configure mode commands/options:
blacklist Drop traffic matching blacklist
ciscoasa(config)# dynamic-filter drop blacklist ?
configure mode commands/options:
action-classify-list Set the access-list for drop
interface Enable drop on an interface
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter drop blacklist interface outside ?
configure mode commands/options:
action-classify-list Set the access-list for drop
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL ?
configure mode commands/options:
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level ?
configure mode commands/options:
eq Threat-level equal to operator
range Threat-level range operator
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq ?
configure mode commands/options:
high high threat
low Low threat
moderate moderate threat
very-high Highest threat
very-low lowest threat
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq very-high
Because the infected hosts are located on a secure side of the ASA, they are likely to be free to open outbound connections just like any other protected host. You can leverage the Cisco ASA Botnet Traffic Filter feature to detect botnet activity and prevent infected hosts from contacting their control servers.
When the Botnet Traffic Filter is enabled, an ASA maintains two reputation databases:
* A dynamic SensorBase database that is downloaded periodically from Cisco, which contains information about known botnet control servers.
* A static database that you can populate, which can contain a "whitelist" of known good IP addresses and domain names or a "blacklist" of known bad servers.
The Botnet Traffic Filter feature is dependent upon four things:
* A Botnet Traffic Filter license purchased from Cisco and installed on the ASA
* A DNS server, which the ASA uses to lookup names and addresses in the static database
* Botnet Traffic Filter DNS snooping, which enables the ASA to intercept DNS queries from infected hosts and match against hostnames it finds in the databases
* Live connectivity to the Internet, so that the Botnet Traffic Filter feature can communicate with Cisco
Before you begin configuring Botnet Traffic Filtering, verify that the feature license has been enabled. You can use the show version command to see a list of ASA features and their license status. Make sure Botnet Traffic Filter is listed as Enabled
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 11 mins 39 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.cd92.5200, irq 0
1: Ext: GigabitEthernet1 : address is 0000.abf1.d701, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab9a.0e02, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab64.2f03, irq 0
4: Ext: GigabitEthernet4 : address is 0000.ab84.7804, irq 0
5: Ext: GigabitEthernet5 : address is 0000.abfa.5105, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Use the following steps to configure botnet traffic filtering:
Step 1: Configure the dynamic database.
Step 2: Configure the static database.
Step 3: Enable DNS snooping.
Step 4: Enable the Botnet Traffic Filter.
ciscoasa(config)# dynamic-filter ?
configure mode commands/options:
ambiguous-is-black Handle (ambiguous) greylist matched traffic as blacklist
for Dynamic Filter drop
blacklist Configure Dynamic Filter blacklist
drop Enable traffic drop based on Dynamic Filter traffic
classification
enable Enable Dynamic Filter classification
updater-client Configure Dynamic Filter updater client
use-database Use Dynamic Filter data downloaded from updater-server
whitelist Configure Dynamic Filter whitelist
exec mode commands/options:
database Dynamic Filter data commands
ciscoasa(config)# dynamic-filter updater-client ?
configure mode commands/options:
enable Enable Dynamic Filter updater client
ciscoasa(config)# dynamic-filter updater-client enable
WARNING: Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured // CISCO'S DYNAMIC DATABASE UPDATE
ciscoasa(config)# dynamic-filter use-database
ciscoasa(config)# dns ? // CONFIGURE DNS AS PER ERROR GIVEN
configure mode commands/options:
domain-lookup Enable/Disable DNS host-to-address translation
expire-entry-timer Specify DNS entry expire timer
name-server Specify DNS servers
poll-timer Specify dns update interval
retries Configure DNS retries
server-group Configure a DNS server group
timeout Configure DNS query timeout
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns server-group MY-DNS-GROUP
ciscoasa(config-dns-server-group)# ?
DNS server group commands:
domain-name Domain name to append to DNS queries for this server group
name-server Specify DNS servers
no Remove a server-group command or set to its default
retries DNS retries
timeout DNS query timeout
ciscoasa(config-dns-server-group)# name-server 4.2.2.2
ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# ?
Dynamic Filter list configuration
address Add IP address to local list
name Add domain name to local list
no Negate a command
ciscoasa(config-llist)# name ?
dynamic-filter-list mode commands/options:
WORD < 256 char Enter domain name
configure mode commands/options:
A.B.C.D The IPv4 address of the host/network being named
X:X:X:X::X The IPv6 address of the host/network being named
ciscoasa(config-llist)# name www.badsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# dynamic-filter whitelist
ciscoasa(config-llist)# name www.goodsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# policy-map ?
configure mode commands/options:
type Specifies the type of policy-map
Policy-map names:
global_policy
WORD < 41 char New policy-map name
ciscoasa(config-pmap)# policy-map global_policy
ciscoasa(config-pmap)# class ?
mpf-policy-map mode commands/options:
WORD class-map name
class-default System default class matching otherwise unclassified packets
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
ciscoasa(config-pmap-c)# inspect dns ?
mpf-policy-map-class mode commands/options:
WORD < 41 char Optional DNS type policy-map name
dynamic-filter-snoop Enable DNS snooping for Dynamic Filter
<cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map ?
mpf-policy-map-class mode commands/options:
dynamic-filter-snoop Enable DNS snooping for Dynamic Filter
<cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# dynamic-filter enable ?
configure mode commands/options:
classify-list Set the access-list for classification
interface Enable classification on an interface
<cr>
ciscoasa(config)# dynamic-filter enable interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter enable interface outside?
configure mode commands/options:
classify-list Set the access-list for classification
<cr>
ciscoasa(config)# dynamic-filter enable interface outside classify-list ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# dynamic-filter enable interface outside classify-list BOTNET_ACL
ciscoasa(config)# dynamic-filter drop ?
configure mode commands/options:
blacklist Drop traffic matching blacklist
ciscoasa(config)# dynamic-filter drop blacklist ?
configure mode commands/options:
action-classify-list Set the access-list for drop
interface Enable drop on an interface
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter drop blacklist interface outside ?
configure mode commands/options:
action-classify-list Set the access-list for drop
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL ?
configure mode commands/options:
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level ?
configure mode commands/options:
eq Threat-level equal to operator
range Threat-level range operator
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq ?
configure mode commands/options:
high high threat
low Low threat
moderate moderate threat
very-high Highest threat
very-low lowest threat
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq very-high
Subscribe to:
Posts (Atom)