18-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 Threat Detection
Monitoring Threat Detection
If you already configured this command as part of the basic threat detection configuration, then those
settings are shared with the scanning threat detection feature; you cannot configure separate rates for
basic and scanning threat detection. If you do not set the rates using this command, the default values
are used for both the scanning threat detection feature and the basic threat detection feature. You can
configure up to three different rate intervals, by entering separate commands.
Monitoring Threat Detection
The following topics explain how to monitor threat detection and view traffic statistics.
• Monitoring Basic Threat Detection Statistics, page 18-8
• Monitoring Advanced Threat Detection Statistics, page 18-9
• Evaluating Host Threat Detection Statistics, page 18-10
• Monitoring Shunned Hosts, Attackers, and Targets, page 18-12
Monitoring Basic Threat Detection Statistics
To display basic threat detection statistics, use the following command:
show threat-detection rate [min-display-rate min_display_rate]
[acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop |
icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack]
The min-display-rate min_display_rate argument limits the display to statistics that exceed the
minimum display rate in events per second. You can set the min_display_rate between 0 and
2147483647.
The other arguments let you limit the display to specific categories. For a description of each event type,
see Basic Threat Detection Statistics, page 18-2.
The output shows the average rate in events/sec over two fixed time periods: the last 10 minutes and the
last 1 hour. It also shows: the current burst rate in events/sec over the last completed burst interval, which
is 1/30th of the average rate interval or 10 seconds, whichever is larger; the number of times the rates
were exceeded (triggered); and the total number of events over the time periods.
The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The
unfinished burst interval presently occurring is not included in the average rate. For example, if the
average rate interval is 20 minutes, then the burst interval is 20 seconds. If the last burst interval was
from 3:00:00 to 3:00:20, and you use the show command at 3:00:25, then the last 5 seconds are not
included in the output.
The only exception to this rule is if the number of events in the unfinished burst interval already exceeds
the number of events in the oldest burst interval (#1 of 30) when calculating the total events. In that case,
the ASA calculates the total events as the last 29 complete intervals, plus the events so far in the
unfinished burst interval. This exception lets you monitor a large increase in events in real time.
You can clear statistics using the clear threat-detection rate command.
The following is sample output from the show threat-detection rate command:
hostname# show threat-detection rate
Average(eps) Current(eps) Trigger Total events
10-min ACL drop: 0 0 0 16
To Next Page
Loading...
Need help?
General