26-14
Cisco ASA Series Firewall CLI Configuration Guide
Chapter26 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Step3 (Optional)
dynamic-filter drop blacklist [interface
name] [action-classify-list
subset_access_list] [threat-level {eq
level | range min max}]
Example:
ciscoasa(config)# dynamic-filter drop
blacklist interface outside
action-classify-list
dynamic-filter_acl_subset threat-level
range moderate very-high
Automatically drops malware traffic. To manually drop traffic,
see the “Blocking Botnet Traffic Manually” section on
page 26-15.
Be sure to first configure a dynamic-filter enable command to
monitor any traffic you also want to drop.
You can set an interface policy using the interface keyword, or a
global policy (where you do not specify the interface keyword).
Any interface-specific commands take precedence over the global
command. You can enter this command multiple times for each
interface and global policy.
The action-classify-list keyword limits the traffic dropped to a
subset of monitored traffic. The dropped traffic must always be
equal to or a subset of the monitored traffic. For example, if you
specify an ACL for the dynamic-filter enable command, and you
specify the action-classify-list for this command, then it must be
a subset of the dynamic-filter enable ACL.
Make sure you do not specify overlapping traffic in multiple
commands for a given interface/global policy. Because you
cannot control the exact order that commands are matched,
overlapping traffic means you do not know which command will
be matched. For example, do not specify both a command that
matches all traffic (without the action-classify-list keyword) as
well as a command with the action-classify-list keyword for a
given interface. In this case, the traffic might never match the
command with the action-classify-list keyword. Similarly, if you
specify multiple commands with the action-classify-list
keyword, make sure each ACL is unique, and that the networks do
not overlap.
You can additionally limit the traffic dropped by setting the threat
level. If you do not explicitly set a threat level, the level used is
threat-level range moderate very-high.
Note We highly recommend using the default setting unless you
have strong reasons for changing the setting.
The level and min and max options are:
very-low
low
moderate
high
very-high
Note Static blacklist entries are always designated with a Very
High threat level.
Command Purpose