19-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 19 Managing Firewall Botnet Traffic Filter Rules
Botnet Traffic Filter Rules Page
Field Reference
Whitelist/Blacklist Tab
Use the Whitelist/Blacklist tab to view or to configure the static database entries for a device or shared
policy. The Device Blacklist contains domain names or IP addresses of malicious or undesirable sites.
You can use the static blacklist to supplement the Cisco dynamic database or you can use the static
blacklist alone if you can identify all the malware sites that you want to target.
Table19-3 BTF Drop Rules Editor
Element Description
Interfaces The interfaces or interface roles on which you want to enable the Botnet
Traffic Filter. Enter the name of the interface or the interface role, or
click Select to select the interface or role from a list, or to create a new
role. An interface must already be defined to appear on the list.
You can use the All Interfaces role object to enable botnet filtering
globally (selected by default). If you configure an interface-specific
classification, the settings for that interface override the global settings.
Interface role objects are replaced with the actual interface names when
the configuration is generated for each device. See Understanding
Interface Role Objects, page 6-67.
ACL Specifies the access-list to use for identifying the traffic that you want
to monitor. If you do not specify an access list, by default you monitor
all traffic.
To specify the traffic that you want to monitor, click Select to the right
of the ACL field to select an Access Control List object that identifies
the traffic that you want to monitor. For example, you might want to
monitor all port 80 traffic on the outside interface. For more
information about Access Control List objects, see Creating Access
Control List Objects, page 6-49.
Threat Level The Threat Level fields identify the threat level of malicious traffic that
you want dropped. The default level is a range between Moderate and
Very High.
Note We highly recommend using the default setting unless you have
strong reasons for changing the setting.
Value—Specify the threat level you want to drop.
Ver y- lo w
Low
Moderate
High
Ver y- hi gh
Range—Specify a range of threat levels.
Note Static blacklist entries are always designated with a Very High
threat level.