19-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 9 Managing Firewall Botnet Traffic Filter Rules
Botnet Traffic Filter Rules Page
Traffic Classification Tab
Use the Traffic Classification tab to view or to configure the traffic classification definitions for a device
or shared policy and to identify malicious traffic that you want automatically dropped. Traffic
classification definitions (enable rules) consist of an interface or interface role with an associated ACL
that identifies the traffic that is monitored by the Botnet Traffic Filter. You can configure settings for
specific interfaces or for interface roles. You can use the All Interfaces role object to enable botnet
filtering globally (selected by default). If you configure an interface-specific classification, the settings
for that interface override any settings defined for an interface role.
For a particular interface, you can specify only one enable rule that identifies the traffic that is subject
to Botnet Traffic Filtering; however, you can specify multiple drop rules to identify traffic that should
be dropped by the Botnet Traffic Filter.
Note We highly recommend configuring Dynamic Filter Snooping for proper functioning of the Botnet Traffic
Filter. When in Device view, Cisco Security Manager provides a link at the bottom of the Traffic
Classification tab that will take you directly to the Inspection Rules page so that you can enable Dynamic
Filter Snooping. For more information, see Enabling DNS Snooping, page 19-6.
The columns in the tables summarize the settings for an entry and are explained in BTF Enable Rules
Editor, page 19-12 and BTF Drop Rules Editor, page19-13.
To configure traffic classification and actions:
Click the Add Row button to add an interface or interface role to the table, and fill in the BTF Enable
Rules Editor, page 19-12 or BTF Drop Rules Editor, page 19-13.
Select an entry and click the Edit Row button to edit an existing entry.
Select an entry and click the Delete Row button to delete it.
Navigation Path
From the Botnet Traffic Filter Rules Page, page19-9 , click the Traffic Classification tab.
Related Topics
BTF Enable Rules Editor, page 19-12
BTF Drop Rules Editor, page 19-13
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 19-6
Understanding Botnet Traffic Filtering, page19-1
Use Dynamic Blacklist Enables use of the dynamic database for the Botnet Traffic Filter.
Note In multiple context mode, you configure use of the database on
a per-context basis.
Treat Ambiguous traffic as
Blacklist
When selected, graylisted traffic will be treated as blacklisted traffic for
action purposes.
If you do not enable this option, graylisted traffic will not be dropped
if you configure a drop rule for that traffic.
Table19-1 Dynamic Blacklist Configuration Tab (Continued)
Element Description