Cisco ASA Series Cli Configuration Manual page 1431

Chapter 1 Configuring Threat Detection
For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded,
then the ASA sends two separate system messages, with a maximum of one message for each rate type
per burst period.
Basic threat detection affects performance only when there are drops or potential threats; even in this
scenario, the performance impact is insignificant.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Security Context Guidelines
Supported in single mode only. Multiple mode is not supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Default Settings
Basic threat detection statistics are enabled by default.
Table 1-1
running-config all threat-detection command.
Table 1-1
Packet Drop Reason
•
•
•
•
Scanning attack detected
Incomplete session detected such as
TCP SYN attack detected or no data
UDP session attack detected
(combined)
lists the default settings. You can view all these default settings using the show
Basic Threat Detection Default Settings
DoS attack detected
Bad packet format
Connection limits exceeded
Suspicious ICMP packets
detected
Configuring Basic Threat Detection Statistics
Trigger Settings
Average Rate
100 drops/sec over the last 600
seconds.
80 drops/sec over the last 3600
seconds.
5 drops/sec over the last 600
seconds.
4 drops/sec over the last 3600
seconds.
100 drops/sec over the last 600
seconds.
80 drops/sec over the last 3600
seconds.
Cisco ASA Series CLI Configuration Guide
Burst Rate
400 drops/sec over the last 20
second period.
320 drops/sec over the last 120
second period.
10 drops/sec over the last 20
second period.
8 drops/sec over the last 120
second period.
200 drops/sec over the last 20
second period.
160 drops/sec over the last 120
second period.
1-3