Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Recommended Configuration

26-11

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter26 Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter

When an address matches, the ASA sends a syslog message. The only additional action currently

available is to drop the connection.

Prerequisites

In multiple context mode, perform this procedure in the context execution space.

Recommended Configuration

Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use

of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 26-9). Without DNS

snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus

any IP addresses in the dynamic database; domain names in the dynamic database are not used.

We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and

enabling dropping of traffic with a severity of moderate and higher.

Detailed Steps

Step1 Choose the Configuration > Firewall > Botnet Traffic Filter > Traffic Settings pane.

Step2 To enable the Botnet Traffic Filter on specified traffic, perform the following steps:

a. In the Traffic Classification area, check the Traffic Classified check box for each interface on which

you want to enable the Botnet Traffic Filter.

You can configure a global classification that applies to all interfaces by checking the Traffic

Classified check box for Global (All Interfaces). If you configure an interface-specific

classification, the settings for that interface overrides the global setting.

b. For each interface, from the ACL Used drop-down list choose either --ALL TRAFFIC-- (the

default), or any ACL configured on the ASA.

For example, you might want to monitor all port 80 traffic on the outside interface.

To add or edit ACLs, click Manage ACL to bring up the ACL Manager. See the “Adding ACLs and

ACEs” section on page21-2 in the general operations configuration guide for more information.

Step3 (Optional) To treat greylisted traffic as blacklisted traffic for action purposes, in the Ambiguous Traffic

Handling area, check the Treat ambiguous (greylisted) traffic as malicious (blacklisted) traffic check

box.

If you do not enable this option, greylisted traffic will not be dropped if you configure a rule in the

Blacklisted Traffic Actions area. See the “Botnet Traffic Filter Address Types” section on page26-2 for

more information about the greylist.

Step4 (Optional) To automatically drop malware traffic, perform the following steps.

To manually drop traffic, see the “Blocking Botnet Traffic Manually” section on page26-12.

a. In the Blacklisted Traffic Actions area, click Add.

The Add Blacklisted Traffic Action dialog box appears.

b. From the Interface drop-down list, choose the interface on which you want to drop traffic. Only

interfaces on which you enabled Botnet Traffic Filter traffic classification are available.

c. In the Threat Level area, choose one of the following options to drop traffic specific threat levels.

The default level is a range between Moderate and Very High.

Cisco Systems Recommended Configuration