55-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter55 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Recommended Configuration
Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use
of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 55-10). Without DNS
snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus
any IP addresses in the dynamic database; domain names in the dynamic database are not used.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and
enabling dropping of traffic with a severity of moderate and higher. See the “Examples” section for the
recommended commands used for this configuration.
Detailed Steps
Command Purpose
Step1 (Optional)
access-list access_list_name extended
{deny | permit} protocol source_address
mask [operator port] dest_address mask
[operator port]
Example:
hostname(config)# access-list
dynamic-filter_acl extended permit tcp any
any eq 80
hostname(config)# access-list
dynamic-filter_acl_subset extended permit
tcp 10.1.1.0 255.255.255.0 any eq 80
Identifies the traffic that you want to monitor or drop. If you do
not create an access list for monitoring, by default you monitor all
traffic. You can optionally use an access list to identify a subset of
monitored traffic that you want to drop; be sure the access list is
a subset of the monitoring access list. See Chapter 15, “Adding an
Extended Access List,” for more information about creating an
access list.
Step2 dynamic-filter enable [interface name]
[classify-list access_list]
Example:
hostname(config)# dynamic-filter enable
interface outside classify-list
dynamic-filter_acl
Enables the Botnet Traffic Filter; without any options, this
command monitors all traffic.
We recommend enabling the Botnet Traffic Filter on all traffic on
the Internet-facing interface using the interface keyword.
You can optionally limit monitoring to specific traffic by using the
classify-list keyword with an access list.
You can enter this command one time for each interface and one
time for the global policy (where you do not specify the interface
keyword). Each interface and global command can have an
optional classify-list keyword. Any interface-specific commands
take precedence over the global command.