- User Guide for Cisco Security Manager 4.8
- Table of Contents
- Preface
-
- The Basics of Using Security Manager
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Firewall Services and NAT
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- VPN Configuration
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- IPS Configuration
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- PIX/ASA/FWSM Device Configuration
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring FXOS Server Access Settings on Firepower 2100 Series Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
Managing Firewall Botnet Traffic Filter Rules
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity.
You can also supplement the Cisco dynamic database with addresses on the block list, of your choosing by adding them to a static block list; if the dynamic database includes blocked addresses that you think should not be blocked, you can manually enter them into a static allow list. Addresses on the allow list still generate syslog messages, but because you are only targeting syslog messages on the block list, they are informational. If you do not want to use the Cisco dynamic database at all, because of internal requirements, you can use the static block list alone if you can identify all the malware sites that you want to target.
Understanding Botnet Traffic Filtering
Botnet Traffic Filter Address Categories
Addresses monitored by the Botnet Traffic Filter include:
- Known malware addresses —These addresses are on the block list identified by the dynamic database and the static block list.
- Known allowed addresses —These addresses are on the allow list. To be allowed, an address must be blocked by the dynamic database and also identified by the static allow list.
- Ambiguous addresses —These addresses are associated with multiple domain names, but not all of these domain names are on the block list. These addresses are on the graylist.
- Unlisted addresses —These addresses are unknown, and not included on any list.
Botnet Traffic Filter Actions for Known Addresses
You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure it to block suspicious traffic automatically.
Unlisted addresses do not generate any syslog messages, but addresses on the block list, allow list, and graylist generate syslog messages differentiated by type.
Botnet Traffic Filter Databases
The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together, or you can disable use of the dynamic database and use the static database alone. This section includes the following topics:
Information About the Dynamic Database
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update server. This database lists thousands of known bad domain names and IP addresses.
The security appliance uses the dynamic database as follows:
1. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic Filter adds the name and IP address to the DNS reverse lookup cache.
2. When the infected host starts a connection to the IP address of the malware site, the security appliance sends a syslog message informing you of the suspicious activity.
3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs any traffic to that IP address without having to inspect DNS requests.
Note To use the database, be sure to configure a domain name server for the security appliance so that it can access the URL.
To use the domain names in the dynamic database, you need to enable DNS packet inspection with Botnet Traffic Filter snooping; the security appliance looks inside the DNS packets for the domain name and associated IP address.
Information About the Static Database
You can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a block list. You can also enter names or IP addresses in a allow list, so that names or addresses that appear on both the allow list and the dynamic block list are identified only as allowed addresses in syslog messages and reports.
You can alternatively enable DNS packet inspection with Botnet Traffic Filter snooping. With DNS snooping, when an infected host sends a DNS request for a name on the static database, the security appliance looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.
Task Flow for Configuring the Botnet Traffic Filter
To configure the Botnet Traffic Filter, follow these steps:
Step 1 Enable use of a DNS server.
This procedure enables security appliance use of a DNS server. In multiple context mode, enable DNS per context.
For more information, see DNS Page
Step 2 Enable use of the dynamic database.
This procedure enables database updates from the Cisco update server, and also enables use of the downloaded dynamic database by the security appliance. Disallowing use of the downloaded database is useful in multiple context mode so you can configure use of the database on a per-context basis.
For more information, see Configuring the Dynamic Database
Step 3 (Optional) Add static entries to the database.
This procedure lets you augment the dynamic database with domain names or IP addresses that you want to block or allow. You might want to use the static database instead of the dynamic database if you do not want to download the dynamic database over the Internet.
For more information, see Adding Entries to the Static Database
This procedure enables inspection of DNS packets, compares the domain name with those in the dynamic database or the static database (when a DNS server for the security appliance is unavailable), and adds the name and IP address to the DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter logging function when connections are made to the suspicious address.
For more information, see Enabling DNS Snooping
Step 5 Enable traffic classification and actions for the Botnet Traffic Filter.
This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message for any matching traffic or drops that traffic.
For more information, see Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Step 6 Monitor and Mitigate Botnet Activity.
After configuring the Botnet Traffic Filter on a device, the device will begin generating syslog messages to notify you of botnet activity. You should verify the syslog configuration on the device so that messages are appropriately logged and that notifications are sent as needed. As malicious traffic is identified, you will need to perform necessary actions to stop such traffic and to clean any infected computers that are generating the malicious traffic.
For more information, see the following references:
1. Chapter 54, “Configuring Logging Policies on Firewall Devices”
2. Monitoring and Mitigating Botnet Activity
3. Understanding Firewall Summary Botnet Reports
Configuring the Dynamic Database
This procedure enables database updates, and also enables use of the downloaded dynamic database by the security appliance.
In multiple context mode, you enable downloading of the dynamic database on the System context so that it is available to all security contexts. You can then decide, on a per-context basis, whether to enable use of the dynamic database or not.
By default, downloading and using the dynamic database is disabled.
- Dynamic Blacklist Configuration Tab
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Adding Entries to the Static Database
- Enabling DNS Snooping
- Enabling Traffic Classification and Actions for the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
Enable security appliance use of a DNS server (see DNS Page). In multiple context mode, enable DNS per context.
Step 1 Do one of the following:
- (Device view) Select Firewall > Botnet Traffic Filter Rules from the Policy selector.
- (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.
Note For devices in multiple context mode, you enable downloading of the dynamic database on the System context and enable use of the dynamic database on each security context, as needed.
This opens the Botnet Traffic Filter Rules Page.
Step 2 On the Dynamic Blacklist Configuration tab, select Enable Dynamic Blacklist From Server to enable downloading of the dynamic database.
Note In multiple context mode, you enable downloading of the dynamic database on the System context.
This setting enables downloading of the dynamic database from the Cisco update server. If you do not have a database already installed on the security appliance, it downloads the database after approximately 2 minutes. The update server determines how often the security appliance polls the server for future updates, typically every hour.
Step 3 (Multiple context mode only) Click Save to save the changes to the System context. Then change to the context where you want to configure the Botnet Traffic Filter, select Firewall > Botnet Traffic Filter Rules for that context, and then proceed to Step 4.
Step 4 On the Dynamic Blacklist Configuration tab, select Use Dynamic Blacklist to enable use of the dynamic database.
Note In multiple context mode, these settings are disabled on the System context.
Adding Entries to the Static Database
The static database lets you augment the dynamic database with domain names, IP addresses, or network addresses that you want to block or allow. For more information, see Understanding Botnet Traffic Filtering.
- Whitelist/Blacklist Tab
- Device Whitelist or Device Blacklist Dialog Box
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Configuring the Dynamic Database
- Enabling DNS Snooping
- Enabling Traffic Classification and Actions for the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
- Enable security appliance use of a DNS server (see DNS Page). In multiple context mode, enable DNS per context.
Step 1 Do one of the following:
- (Device view) Select Firewall > Botnet Traffic Filter Rules from the Policy selector.
- (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.
Note For devices in multiple context mode, you configure the static database on the security context.
This opens the Botnet Traffic Filter Rules Page.
Step 2 On the Whitelist / Blacklist tab, click the Add Rows button that corresponds with the type of entry you are adding (Whitelist or Blacklist).
This opens the Device Whitelist or Device Blacklist Dialog Box.
Step 3 In the Domain or IP Address field, enter one or more domain names, IP addresses, and IP address/netmasks. Enter multiple entries separated by commas or on separate lines. You can enter up to 1000 entries for each type.
Enabling DNS Snooping
This procedure enables inspection of DNS packets and enables Botnet Traffic Filter snooping, which compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter logging function when connections are made to the suspicious address.
The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does not have Botnet Traffic Filter snooping enabled. We suggest that you enable Botnet Traffic Filter snooping only on interfaces where external DNS requests are going. Enabling Botnet Traffic Filter snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary load on the security appliance.
Note TCP DNS traffic is not supported.
- Configure DNS Dialog Box
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Configuring the Dynamic Database
- Adding Entries to the Static Database
- Enabling Traffic Classification and Actions for the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
Step 1 You must first configure DNS inspection for traffic that you want to snoop using the Botnet Traffic Filter. See Chapter 17, “Managing Firewall Inspection Rules”.
Step 2 While defining a new inspection rule or editing an existing inspection rule, select DNS as the protocol you want to inspect.
The Configure button to the right of the Selected Protocol field becomes active.
This opens the Configure DNS Dialog Box.
Step 4 To enable DNS snooping, select Enable Dynamic Filter Snooping.
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message for any matching traffic. The Botnet Traffic Filter can also drop the connection when matching traffic is encountered. For a particular interface, you can specify only one enable rule that identifies the traffic that is subject to Botnet Traffic Filtering; however, you can specify multiple drop rules to identify traffic that should be dropped by the Botnet Traffic Filter.
The DNS snooping is enabled separately (see Enabling DNS Snooping). Typically, for maximum use of the Botnet Traffic Filter, you need to enable DNS snooping, but you can use Botnet Traffic Filter logging independently if desired. Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used.
What You Need To Know About Botnet Traffic Classification ACLs
When you configure the enable and drop rules, you have the option of specifying an extended ACL policy object to limit the traffic to which Botnet Traffic Filtering will be applied. If you do not specify an ACL object, filtering is done for all traffic: this is equivalent to specifying an ACL with the single rule permit IP any any.
If you want to specify an ACL so that filtering is performed on less than all traffic, keep the following in mind:
- Permit rules identify the traffic that is subject to Botnet Traffic Filtering. In drop rules, permit entries identify the traffic that the ASA is allowed to drop.
- Deny rules identify the traffic that should not be subject to filtering. The Botnet Traffic Filter ignores traffic that matches deny entries.
- The ACL that you select for drop rules should be a subset of the ACL used in the enable rules for the interface. For traffic to be dropped, there must not only be a permit rule in the drop rule’s ACL, the traffic must also fall under a permit rule in the enable rule’s ACL. This is because the drop rule is not considered until traffic permitted in an enable rule has first been identified as blocked.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and enabling dropping of traffic with a severity of moderate and higher.
- Traffic Classification Tab
- BTF Enable Rules Editor
- BTF Drop Rules Editor
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Configuring the Dynamic Database
- Adding Entries to the Static Database
- Enabling DNS Snooping
- Botnet Traffic Filter Rules Page
Step 1 Do one of the following:
- (Device view) Select Firewall > Botnet Traffic Filter Rules from the Policy selector.
- (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.
Note For devices in multiple context mode, you configure traffic classification on the security context.
This opens the Botnet Traffic Filter Rules Page.
Step 2 To enable the Botnet Traffic Filter on specified traffic, follow these steps:
a. On the Traffic Classification tab, click Add Row under the Enable Rules table.
This opens the BTF Enable Rules Editor.
b. In the Interfaces field, specify the interface or interfaces on which you want to enable the Botnet Traffic Filter. Normally, you want to enable the Internet-facing interface only. To select the interfaces or interface role objects using the Interfaces Selector, click Select (see Understanding Interface Role Objects).
You can configure a global classification that applies to all interfaces by selecting the All Interfaces role object (selected by default). If you configure an interface-specific classification, the settings for that interface overrides the global setting.
c. Do one of the following to identify the traffic that you want to monitor:
- To monitor all traffic, leave the ACL field blank.
- To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects.
Note You can specify only one enable rule per interface.
The BTF Enable Rules Editor closes and the rule is added to the Enable Rules table.
Step 3 To automatically drop malware traffic, follow these steps:
Note You must enable the Botnet Traffic Filter for the traffic you want to automatically drop before creating a drop rule for that traffic.
a. On the Traffic Classification tab, click Add Row under the Drop Rules table.
This opens the BTF Drop Rules Editor.
b. In the Interfaces field, specify the interface or interfaces on which you want to drop traffic. There must be a corresponding enable rule for the interface. To select the interfaces or interface role objects using the Interfaces Selector, click Select (see Understanding Interface Role Objects).
You can configure a global classification that applies to all interfaces by selecting the All Interfaces role object (selected by default). If you configure an interface-specific classification, the settings for that interface overrides the global setting.
c. Do one of the following to identify the traffic that you want to drop:
- To monitor all traffic, leave the ACL field blank.
- To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects.
d. In the Threat Level area, choose one of the following options to drop traffic specific threat levels. The default level is a range between Moderate and Very High.
Note We highly recommend using the default setting unless you have strong reasons for changing the setting.
Note Entries on the static block list are always designated with a Very High threat level.
The BTF Drop Rules Editor closes and the rule is added to the Drop Rules table.
Step 4 To add more rules, repeat steps 2 and 3, as required. When finished adding rules, click Save to save your changes.
Step 5 To treat graylisted traffic as blocked traffic for action purposes, on the Dynamic Blacklist Configuration tab, check the Treat Ambiguous traffic as Blacklist check box.
If you do not enable this option, graylisted traffic will not be dropped if you configure a drop rule for that traffic.
Botnet Traffic Filter Rules Page
You can use the Botnet Traffic Filter Rules page to define rules for identifying malicious traffic passing through your ASA security device.
The Botnet Traffic Filter Rules page is divided into three sections:
To access the Botnet Traffic Filter Rules page, do one of the following:
- (Device view) Select a device, then select Firewall > Botnet Traffic Filter Rules from the Policy selector.
- (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.
- (Map view) Right-click a device and select Edit Firewall Policies > Botnet Traffic Filter Rules.
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Dynamic Blacklist Configuration Tab
- Traffic Classification Tab
- BTF Enable Rules Editor
- BTF Drop Rules Editor
- Whitelist/Blacklist Tab
- Device Whitelist or Device Blacklist Dialog Box
- Configure DNS Dialog Box
Dynamic Blacklist Configuration Tab
Use the Dynamic Blacklist Configuration tab to enable database updates from the Cisco update server and to enable use of the downloaded dynamic database by the security appliance.
From the Botnet Traffic Filter Rules Page, click the Dynamic Blacklist Configuration tab.
- Configuring the Dynamic Database
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
- Traffic Classification Tab
- BTF Enable Rules Editor
- BTF Drop Rules Editor
- Whitelist/Blacklist Tab
- Device Whitelist or Device Blacklist Dialog Box
- Configure DNS Dialog Box
Traffic Classification Tab
Use the Traffic Classification tab to view or to configure the traffic classification definitions for a device or shared policy and to identify malicious traffic that you want automatically dropped. Traffic classification definitions (enable rules) consist of an interface or interface role with an associated ACL that identifies the traffic that is monitored by the Botnet Traffic Filter. You can configure settings for specific interfaces or for interface roles. You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override any settings defined for an interface role.
For a particular interface, you can specify only one enable rule that identifies the traffic that is subject to Botnet Traffic Filtering; however, you can specify multiple drop rules to identify traffic that should be dropped by the Botnet Traffic Filter.
Note We highly recommend configuring Dynamic Filter Snooping for proper functioning of the Botnet Traffic Filter. When in Device view, Cisco Security Manager provides a link at the bottom of the Traffic Classification tab that will take you directly to the Inspection Rules page so that you can enable Dynamic Filter Snooping. For more information, see Enabling DNS Snooping.
The columns in the tables summarize the settings for an entry and are explained in BTF Enable Rules Editor and BTF Drop Rules Editor.
To configure traffic classification and actions:
- Click the Add Row button to add an interface or interface role to the table, and fill in the BTF Enable Rules Editor or BTF Drop Rules Editor.
- Select an entry and click the Edit Row button to edit an existing entry.
- Select an entry and click the Delete Row button to delete it.
From the Botnet Traffic Filter Rules Page, click the Traffic Classification tab.
- BTF Enable Rules Editor
- BTF Drop Rules Editor
- Enabling Traffic Classification and Actions for the Botnet Traffic Filter
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
- Dynamic Blacklist Configuration Tab
- Whitelist/Blacklist Tab
- Device Whitelist or Device Blacklist Dialog Box
- Configure DNS Dialog Box
BTF Enable Rules Editor
Use the BTF Enable Rules Editor to specify the interfaces on which you want to enable the Botnet Traffic Filter and to identify the traffic that you want to monitor. You can specify only one enable rule per interface.
To access the BTF Enable Rules Editor, right-click inside the work area of the Enable Rules table on the Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.
- Enabling Traffic Classification and Actions for the Botnet Traffic Filter
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
- Dynamic Blacklist Configuration Tab
- Traffic Classification Tab
- BTF Drop Rules Editor
- Whitelist/Blacklist Tab
- Device Whitelist or Device Blacklist Dialog Box
- Configure DNS Dialog Box
|
|
---|---|
The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list. You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override the global settings. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects. |
|
Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic. To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects. |
BTF Drop Rules Editor
Use the BTF Drop Rules Editor to identify malware traffic that you want to automatically drop. You can specify multiple drop rules per interface.
To access the BTF Drop Rules Editor, right-click inside the work area of the Drop Rules table on the Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.
- Enabling Traffic Classification and Actions for the Botnet Traffic Filter
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
- Dynamic Blacklist Configuration Tab
- Traffic Classification Tab
- BTF Enable Rules Editor
- Whitelist/Blacklist Tab
- Device Whitelist or Device Blacklist Dialog Box
- Configure DNS Dialog Box
|
|
---|---|
The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list. You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override the global settings. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects. |
|
Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic. To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects. |
|
The Threat Level fields identify the threat level of malicious traffic that you want dropped. The default level is a range between Moderate and Very High. Note We highly recommend using the default setting unless you have strong reasons for changing the setting. Note Static block list entries are always designated with a Very High threat level. |
Whitelist/Blacklist Tab
Use the Whitelist/Blacklist tab to view or to configure the static database entries for a device or shared policy. The Device Blacklist contains domain names or IP addresses of malicious or undesirable sites. You can use the static block list to supplement the Cisco dynamic database or you can use the static block list alone if you can identify all the malware sites that you want to target.
The Device Whitelist contains domain names or IP addresses of sites that are deemed to be acceptable. If the dynamic database includes blocked addresses that you think should not be blocked, you can manually enter them into a static allow list. Static allow list entries take precedence over entries in the static block list and the Cisco dynamic database. Addresses on the allow list still generate syslog messages, but because you are only targeting syslog messages on the block list, they are informational.
To configure the static database:
- Click the Add Row button to define static database entries using the Device Whitelist or Device Blacklist Dialog Box.
- Select an entry and click the Edit Row button to edit an existing entry.
Timesaver Select an entry and press F2 or double-click on an entry in the Device Whitelist or Device Blacklist to edit that entry in place.
From the Botnet Traffic Filter Rules Page, click the Whitelist/Blacklist tab.
Device Whitelist or Device Blacklist Dialog Box
Use the Device Whitelist or Device Blacklist dialog box to manually define domain names or IP addresses that you want to add to the allow lists (safe) or block lists (malicious). You can use the static block list to supplement the Cisco dynamic database or you can use the static block list alone if you can identify all the malware sites that you want to target. Names or addresses that appear on both the allow list and the dynamic block list are identified only as allowed addresses in syslog messages and reports.
Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either allowed or blocked. You can also enter host IP addresses. Use a comma or new line to separate multiple entries.
From the Whitelist/Blacklist Tab, click the Add Rows button beneath the Device Whitelist or Device Blacklist tables, or select an entry and click the Edit Row button.
- Adding Entries to the Static Database
- Understanding Botnet Traffic Filtering
- Task Flow for Configuring the Botnet Traffic Filter
- Botnet Traffic Filter Rules Page
- Dynamic Blacklist Configuration Tab
- Traffic Classification Tab
- BTF Enable Rules Editor
- BTF Drop Rules Editor
- Whitelist/Blacklist Tab
- Configure DNS Dialog Box