This section includes the recommended configuration for single and multiple context mode, as well as other possible configurations. Be sure to identify a DNS server for the ASA so that it can access the Cisco update server URL.
The following is sample output from the show dynamic-filter statistics command: Generates reports of the top 10 malware sites, ports, and infected hosts monitored. In multiple context mode, the system downloads the database for all contexts using the admin context interface; be sure to identify a DNS server in the admin context.
The Whole Buffer option shows all buffered infected-hosts information. Reports can be saved as an HTML file. Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names. You return to the Traffic Settings pane. See the general operations configuration guide for more information.
All existing service rules that include DNS inspection are listed in the table.
The detail option shows how many packets at each threat level were classified or dropped.
Step 1 (Optional) Identify the traffic that you want to monitor or drop: If you do not create an ACL for monitoring, by default you monitor all traffic. This section includes the following topics: The Botnet Traffic Filter generates detailed syslog messages numbered 338 nnn. Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed. Enable ASA use of a DNS server (in the Device Management > DNS > DNS Client > DNS Lookup area). Step 2 To enable the Botnet Traffic Filter on specified traffic, perform the following steps: a. © 2020 WatchGuard Technologies, Inc. All rights reserved. Disable use of the database by unchecking the Use Botnet data dynamically downloaded from updater server check box. Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary load on the ASA.
If you use the static database, entries are added to the DNS host cache (see About the Static Database about using the static database with DNS snooping and the DNS reverse lookup cache). You can enter this command multiple times for multiple entries. Monitoring > Botnet Traffic Filter > ASP Table Hits. Any interface-specific commands take precedence over the global command. Step 4 (Optional) If you configured the dynamic-filter drop blacklist command, then this command treats greylisted traffic as blacklisted traffic for dropping purposes: If you do not enable this command, greylisted traffic will not be dropped. For the DNS host cache, the maximum number of blacklist entries and whitelist entries is 1000 each. To add or edit ACLs, click Manage ACL to bring up the ACL Manager. For example, do not specify both a rule that matches --ALL TRAFFIC-- as well as a command with and ACL for a given interface.