I was asked to migrate a customer that's using
Websense URL filtering and
Botnet feature to an ASA context. I install a Botnet license (1 year license) on our ASA firewalls and I'm glad to know this feature works. I believe Cisco is now moving towards a new approach with Advanced Malware Protection (
AMP) on their next-gen ASA firewalls (5500-X series) and next-gen IPS (FirePower).
Botnet config:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled 168 days
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH18087ABC
Running Permanent Activation Key: 0xc22ecd45 0x78ac555a 0xa9637128 0xfe9838f8 0x0e15edef
Running Timebased Activation Key: 0x9c1876cf 0x49ca6c5e 0xc949bb03 0xdbf386df 0x847c2123
Configuration register is 0x1
ciscoasa/CUST(config)# dynamic-filter ?
configure mode commands/options:
ambiguous-is-black Handle (ambiguous) greylist matched traffic as blacklist
for Dynamic Filter drop
blacklist Configure Dynamic Filter blacklist
drop Enable traffic drop based on Dynamic Filter traffic
classification
enable Enable Dynamic Filter classification
use-database Use Dynamic Filter data downloaded from updater-server
whitelist Configure Dynamic Filter whitelist
exec mode commands/options:
database Dynamic Filter data commands
ciscoasa/CUST(config)# dynamic-filter use-database ?
configure mode commands/options:
<cr>
ciscoasa/CUST(config)# dynamic-filter use-database
ciscoasa/CUST(config)# access-list DYNAMIC-FILTER-ACL extended permit ip any any
ciscoasa/CUST(config)# dynamic-filter enable ?
configure mode commands/options:
classify-list Set the access-list for classification
interface Enable classification on an interface
<cr>
ciscoasa/CUST(config)# dynamic-filter enable interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0/1
outside Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter enable interface outside ?
configure mode commands/options:
classify-list Set the access-list for classification
<cr>
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list DYNAMIC-FILTER-ACL
ciscoasa/CUST(config)# dynamic-filter drop ?
configure mode commands/options:
blacklist Drop traffic matching blacklist
ciscoasa/CUST(config)# dynamic-filter drop blacklist ?
configure mode commands/options:
action-classify-list Set the access-list for drop
interface Enable drop on an interface
threat-level Set the threat-level for drop
<cr>
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0/1
outside Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside ?
configure mode commands/options:
action-classify-list Set the access-list for drop
threat-level Set the threat-level for drop
<cr>
ciscoasa/CUST(config)# $st interface outside threat-level ?
configure mode commands/options:
eq Threat-level equal to operator
range Threat-level range operator
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range ?
configure mode commands/options:
high high threat
low Low threat
moderate moderate threat
very-high Highest threat
very-low lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range high ?
configure mode commands/options:
high high threat
low Low threat
moderate moderate threat
very-high Highest threat
very-low lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range range high very-high
ciscoasa/CUST(config)# dynamic-filter whitelist
ciscoasa/CUST(config-llist)# ?
Dynamic Filter list configuration
address Add IP address to local list
name Add domain name to local list
no Negate a command
ciscoasa/CUST(config-llist)# address ?
dynamic-filter-list mode commands/options:
Hostname or A.B.C.D Add IP address or network to local list
ciscoasa/CUST(config-llist)# address 208.67.220.220 ?
dynamic-filter-list mode commands/options:
A.B.C.D The IP netmask to apply to the IP address
ciscoasa/CUST(config-llist)# address 208.67.220.220 255.255.255.255 // OPEN DNS IP
class-map DYNAMIC-FILTER-DNS-CMAP
match port udp eq domain
policy-map DYNAMIC-FILTER-DNS-PMAP
class dynamic-filter_snoop_class
inspect dns dynamic-filter-snoop
ciscoasa/CUST(config)# service-policy ?
configure mode commands/options:
Available policy-maps:
global_policy
DYNAMIC-FILTER-DNS-PMAP
service-policy DYNAMIC-FILTER-DNS-PMAP interface outside
Here are some useful show commands to verify Botnet feature:
ciscoasa/CUST# show dynamic-filter data
Dynamic Filter is using downloaded database version '1446144909' // UPDATE FROM CISCO SIO
Fetched at 15:17:36 UTC Oct 29 2015, size: 2097145
Sample contents from downloaded database:
loubouscoc.narod.ru alkhair.org mfqr.cn.com azpros.com
tubez11.cu.cc 72.66.16.146 monitor4eg.ru wildroute.biz
Sample meta data from downloaded database:
threat-level: very-high, category: Malware,
description: "These are sources that use various exploits to deliver
adware, spyware and other malware to victim computers. Some of these
are associated with rogue online vendors and distributors of dialers
which deceptively call premium-rate phone numbers."
threat-level: high, category: Bot and Threat Networks,
description: "These are rogue systems that control infected computers.
They are either systems hosted on threat networks or systems that are
part of the botnet itself."
threat-level: moderate, category: Malware,
description: "These are sources that deliver deceptive or malicious
anti-spyware, anti-malware, registry cleaning, and system cleaning
software."
threat-level: low, category: Ads,
description: "These are advertising networks that deliver banner ads,
interstitials, rich media ads, pop-ups, and pop-unders for websites,
spyware and adware. Some of these networks send ad-oriented HTML emails
and email verification services."
Total entries in Dynamic Filter database:
Dynamic data: 79504 domain names , 2942 IPv4 addresses
Local data: 0 domain names , 2 IPv4 addresses
Active rules in Dynamic Filter asp table:
Dynamic data: 0 domain names , 2942 IPv4 addresses
Local data: 0 domain names , 2 IPv4 addresses
ciscoasa/CUST# show dynamic-filter reports infected-hosts all
Total 149 infected-hosts in buffer
Host (interface) Latest malicious conn time, filter action Conn logged, dropped
=======================================================================================================
172.27.199.123 (inside) 13:52:06 UTC Oct 29 2015, dropped 14109 14109
Malware-sites connected to (not ordered)
Site
Latest conn port, time, filter action Conn logged, dropped
Threat-level Category
-------------------------------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com) 80, 13:52:06 UTC Oct 29 2015, dropped 6 6 very-high Malware
54.149.242.159 (neutral-sky.info) 80, 13:21:05 UTC Oct 29 2015, dropped 9 9 very-high Malware
54.213.23.40 (neutral-sky.info) 80, 13:20:23 UTC Oct 29 2015, dropped 9 9 very-high Malware
54.213.128.72 (neutral-sky.info) 80, 13:21:26 UTC Oct 29 2015, dropped 6 6 very-high Malware
52.25.206.149 (neutral-sky.info) 80, 13:20:44 UTC Oct 29 2015, dropped 6 6 very-high Malware
=======================================================================================================
172.27.181.179 (inside) 11:23:38 UTC Oct 29 2015, dropped 229 229
Last clearing of the infected-hosts report: Never
ciscoasa/CUST# show dynamic-filter reports top infected-hosts
Infected Hosts (since last clear)
Host Connections Logged
----------------------------------------------------------------------
172.27.199.121 (inside) 49660
172.27.199.123 (inside) 14109
Last clearing of the top infected-hosts report: Never
ciscoasa/CUST# show dynamic-filter reports top malware-ports
Malware Ports (since last clear)
Port Connections Logged
----------------------------------------------------------------------
tcp 80 78693
tcp 443 273
udp >8192 37
udp 4682 1
Last clearing of the top ports report: Never
ciscoasa/CUST# show dynamic-filter reports top malware-sites
Malware Sites (since last clear)
Site Connections Logged Dropped Threat-level Category
---------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com) 13649 13649 very-high Malware
173.193.251.201 (x.rafomedia.com) 12643 12643 very-high Malware
94.75.230.226 (a.adquantix.com) 9338 9338 very-high Malware
94.75.230.225 (a.adquantix.com) 8519 8519 very-high Malware
211.100.56.174 (analytics3.dopool.com) 3627 3627 very-high Malware
104.28.9.72 (zigad.winnerical.org) 906 906 very-high Malware
104.28.8.72 (zigad.winnerical.org) 906 906 very-high Malware
52.74.115.82 (in1.apusapps.com) 831 831 very-high Malware
54.255.128.61 (in1.apusapps.com) 828 828 very-high Malware
212.113.89.75 (abs.proxistore.com) 636 636 very-high Malware
Last clearing of the top sites report: Never
Websense URL filtering config:
ciscoasa/CUST(config)# url-server ?
configure mode commands/options:
( Open parenthesis for the network interface where the URL filtering server
resides
ciscoasa/CUST(config)# url-server (inside) ?
configure mode commands/options:
host Configure the IP address of the URL filtering server after this
keyword
vendor The URL server vendor, default is Websense
ciscoasa/CUST(config)# url-server (inside) vendor ?
configure mode commands/options:
smartfilter Secure Computing SmartFilter (N2H2) URL server
websense Websense URL server
ciscoasa/CUST(config)# url-server inside) vendor websense ?
configure mode commands/options:
host Configure the IP address of the URL filtering server after this keyword
ciscoasa/CUST(config)# url-server (inside) vendor websense host ?
configure mode commands/options:
Hostname or A.B.C.D IP address of the URL filtering server
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 ?
configure mode commands/options:
protocol Protocol to be used for communicating to the URL server, TCP
protocol will be used by default
timeout The maximum idle time permitted before the system switches to the
next server specified, default is 30 seconds
version Optional version number for the Websense server, the version can be
1 or 4, default is 1. UDP protocol is available only in version 4
<cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol ?
configure mode commands/options:
tcp TCP to be used as transport protocol
udp UDP to be used as transport protocol
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp ?
configure mode commands/options:
connections Optional simultaneous TCP connection count
version Optional version number for the Websense server, the version can
be 1 or 4, default is 1. UDP protocol is available only in
version 4
<cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version ?
configure mode commands/options:
1 Websense version 1
4 Websense version 4
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 ?
configure mode commands/options:
connections Optional simultaneous TCP connection count
<cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections ?
configure mode commands/options:
<1-100> Specify number of TCP connections to this URL server, default is 5
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections 10ciscoasa/CUST(config)# url-block ?
configure mode commands/options:
block Configure number of blocks that will be buffered
url-mempool Configure memory resource to be allocated for long URL buffer
url-size Configure maximum allowed URL size
ciscoasa/CUST(config)# url-block url-mempool ?
configure mode commands/options:
<2-10240> Memory resource allocated for long URL buffer in KB
ciscoasa/CUST(config)# url-block url-mempool 512
ciscoasa/CUST(config)# url-block url-size ?
configure mode commands/options:
<2-4> Maximum allowed URL size in KB
ciscoasa/CUST(config)# url-block url-size 4
ciscoasa/CUST(config)# url-block block ?
configure mode commands/options:
<1-16> Number of blocks that will be buffered
ciscoasa/CUST(config)# url-block block 16
ciscoasa/CUST(config)# filter ?
configure mode commands/options:
activex ActiveX filtering
ftp FTP filtering
https HTTPS filtering
java Java filtering
url HTTP filtering
ciscoasa/CUST(config)# filter https ?
configure mode commands/options:
except Create an exception to previously specified set of IP
Enter the port or port range <start>[-<end>]
aol
bgp
biff
bootpc
bootps
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
dnsix
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
ciscoasa/CUST(config)# filter https 443 ?
configure mode commands/options:
Hostname or A.B.C.D The address of local/internal host which is source for
connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 ?
configure mode commands/options:
A.B.C.D Network mask to be applied to local IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 ?
configure mode commands/options:
Hostname or A.B.C.D The address of foreign/external host which is
destination for connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?
configure mode commands/options:
A.B.C.D Network mask to be applied to foreign IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?
configure mode commands/options:
allow When url-server is down, allow outbound <service> traffic
<cr>
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter url http 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter ftp 21 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST# ping 10.160.6.77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.160.6.77, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/128/130 ms
ciscoasa/CUST# ping ping 10.15.16.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.16.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 320/326/330 ms
Here are some useful show commands for Websense redirection:
ciscoasa/CUST# show run url-server
url-server (inside) vendor websense host 10.15.16.45 timeout 30 protocol TCP version 1 connections 10
url-server (inside) vendor websense host 10.160.6.77 timeout 30 protocol TCP version 4 connections 10
url-server (inside) vendor websense host 10.13.16.45 timeout 30 protocol TCP version 4 connections 10
ciscoasa/CUST# show url-server statistics
Global Statistics:
--------------------
URLs total/allowed/denied 137923/135998/1925
URLs allowed by cache/server 0/135998
URLs denied by cache/server 0/1925
HTTPSs total/allowed/denied 76109/55125/20984
HTTPSs allowed by cache/server 0/55125
HTTPSs denied by cache/server 0/20984
FTPs total/allowed/denied 0/0/0
FTPs allowed by cache/server 0/0
FTPs denied by cache/server 0/0
Requests dropped 64884
Server timeouts/retries 6/80
Processed rate average 60s/300s 0/0 requests/second
Denied rate average 60s/300s 0/0 requests/second
Dropped rate average 60s/300s 0/0 requests/second
Server Statistics:
--------------------
10.160.6.77 UP
Vendor websense
Port 15868
Requests total/allowed/denied 214036/191121/22909
Server timeouts/retries 6/80
Responses received 214030
Response time average 60s/300s 0/0
10.15.16.45 UP
Vendor websense
Port 15868
Requests total/allowed/denied 0/0/0
Server timeouts/retries 0/0
Responses received 0
Response time average 60s/300s 0/0
URL Packets Sent and Received Stats:
------------------------------------
Message Sent Received
STATUS_REQUEST 194372 191704
LOOKUP_REQUEST 217845 217759
LOG_REQUEST 0 NA
Errors:
-------
RFC noncompliant GET method 0
URL buffer update failure 0
ciscoasa/CUST# show url-block block statistics
URL Pending Packet Buffer Stats with max block 16
-----------------------------------------------------
Cumulative number of packets held: 2091333
Maximum number of packets held (per URL): 8
Current number of packets held (global): 0
Packets dropped due to
exceeding url-block buffer limit: 510456
HTTP server retransmission: 39723
Number of packets released back to client: 2072781