Filter
Top Products
19-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 19 Managing Firewall Botnet Traffic Filter Rules
Task Flow for Configuring the Botnet Traffic Filter
Botnet Traffic Filter can also drop the connection when matching traffic is encountered. For a particular
interface, you can specify only one enable rule that identifies the traffic that is subject to Botnet Traffic
Filtering; however, you can specify multiple drop rules to identify traffic that should be dropped by the
Botnet Traffic Filter.
The DNS snooping is enabled separately (see Enabling DNS Snooping, page 19-6). Typically, for
maximum use of the Botnet Traffic Filter, you need to enable DNS snooping, but you can use Botnet
Traffic Filter logging independently if desired. Without DNS snooping for the dynamic database, the
Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database;
domain names in the dynamic database are not used.
What You Need To Know About Botnet Traffic Classification ACLs
When you configure the enable and drop rules, you have the option of specifying an extended ACL
policy object to limit the traffic to which Botnet Traffic Filtering will be applied. If you do not specify
an ACL object, filtering is done for all traffic: this is equivalent to specifying an ACL with the single
rule permit IP any any.
If you want to specify an ACL so that filtering is performed on less than all traffic, keep the following
in mind:
• Permit rules identify the traffic that is subject to Botnet Traffic Filtering. In drop rules, permit entries
identify the traffic that the ASA is allowed to drop.
• Deny rules identify the traffic that should not be subject to filtering. The Botnet Traffic Filter ignores
traffic that matches deny entries.
• The ACL that you select for drop rules should be a subset of the ACL used in the enable rules for
the interface. For traffic to be dropped, there must not only be a permit rule in the drop rule’s ACL,
the traffic must also fall under a permit rule in the enable rule’s ACL. This is because the drop rule
is not considered until traffic permitted in an enable rule has first been identified as blacklisted.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and
enabling dropping of traffic with a severity of moderate and higher.
Related Topics
• Traffic Classification Tab, page 19-11
• BTF Enable Rules Editor, page 19-12
• BTF Drop Rules Editor, page 19-13
• Understanding Botnet Traffic Filtering, page 19-1
• Task Flow for Configuring the Botnet Traffic Filter, page 19-2
• Configuring the Dynamic Database, page 19-4
• Adding Entries to the Static Database, page 19-5
• Enabling DNS Snooping, page 19-6
• Botnet Traffic Filter Rules Page, page 19-9
Step 1 Do one of the following:
• (Device view) Select Firewall > Botnet Traffic Filter Rules from the Policy selector.
• (Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select
an existing policy or create a new one.