Cisco ASA Series Command Reference, A - H Commands
dns domain-lookup -- dynamic-filter whitelist
Downloads: This chapterpdf (PDF - 458.0KB) The complete bookPDF (PDF - 9.37MB) | The complete bookePub (ePub - 770.0KB) | The complete bookMobi (Mobi - 818.0KB) | Feedback

Table of Contents

dns domain-lookup through dynamic-filter whitelist Commands

dns domain-lookup

dns expire-entry-timer

dns name-server

dns poll-timer

dns update

dns-group

dns-guard

dns-server

dns server-group

domain-name

domain-name (dns server-group)

downgrade

download-max-size

drop

drop-connection

dtls port

duplex

dynamic-access-policy-config

dynamic-access-policy-record

dynamic-authorization

dynamic-filter ambiguous-is-black

dynamic-filter blacklist

dynamic-filter database fetch

dynamic-filter database find

dynamic-filter database purge

dynamic-filter drop blacklist

dynamic-filter enable

dynamic-filter updater-client enable

dynamic-filter use-database

dynamic-filter whitelist

dns domain-lookup through dynamic-filter whitelist Commands

dns domain-lookup

To enable the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands, use the dns domain-lookup command in global configuration mode. To disable DNS requests, use the no form of this command.

dns domain-lookup interface_name

no dns domain-lookup interface_name

 
Syntax Description

interface_name

Specifies the name of the configured interface.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(2)

This command was introduced.

 
Usage Guidelines

The command enable the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

Examples

The following example enable the ASA to send DNS requests to a DNS server to perform a name lookup for the inside interface:

ciscoasa(config)# dns domain-lookup inside
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

dns server-group

Enters dns-server-group mode, in which you can configure a DNS server group.

show running-config dns-server group

Shows one or all the existing DNS server group configurations.

dns expire-entry-timer

To remove the IP address of a resolved FQDN after its TTL expires, use the dns expire-entry-timer command in global configuration mode. To remove the timer, use the no form of this command.

dns expire-entry-timer minutes minutes

no dns expire-entry-timer minutes minutes

 
Syntax Description

minutes minutes

Specifies the timer time in minutes. Valid values range from 1 to 65535 minutes.

 
Defaults

By default, the DNS expire-entry-timer value is 1 minute.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration mode

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(2)

This command was introduced.

 
Usage Guidelines

The command specifies the time to remove the IP address of a resolved FQDN after its TTL expires. When the IP address is removed, the ASA recompiles the tmatch lookup table.

Specifying this command is only effective when the associated network object for the DNS is activated.

The default DNS expire-entry-timer value is 1 minute, which means that IP addresses are removed 1 minute after the TTL of the DNS entry expires.


Note The default setting might result in frequent recompilation of the tmatch lookup table when the resolved TTL of common FQDN hosts, such as www.sample.com, is a short time period. You can specify a long DNS expire-entry timer value to reduce the frequency of recompilation of the tmatch lookup table while maintaining security.


Examples

The following example removes resolved entries after 240 minutes:

ciscoasa(config)# dns expire-entry-timer minutes 240
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

dns server-group

Enters dns-server-group mode, in which you can configure a DNS server group.

show running-config dns-server group

Shows one or all the existing DNS server group configurations.

dns name-server

To configure a DNS server for the ASA, user the dns name-server command in global configuration mode. To remove the configuration, use the no form of this command.

dns name-server ipv4_addr | ipv6_addr

no dns name-server ipv4_addr | ipv6_addr

 
Syntax Description

ipv4_addr

Specifies the IPv4 address of the DNS server.

ipv6_addr

Specifies the IPv6 address of the DNS server.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(2)

This command was introduced.

9.0(1)

Support of IPv6 addresses was added.

 
Usage Guidelines

Use this command to identify a DNS server address for the ASA. The ASA supports both IPv4 and IPv6 addresses for DNS servers.

Examples

The following example configures a DNS server with an IPv6 address:

ciscoasa(config)# dns domain-lookup
ciscoasa(config)# dns name-server 8080:1:2::2
ciscoasa(config)# dns retries 4
ciscoasa(config)# dns timeout 10
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

dns server-group

Enters dns-server-group mode, in which you can configure a DNS server group.

show running-config dns-server group

Shows one or all the existing DNS server group configurations.

dns poll-timer

To specify the timer during which the ASA queries the DNS server to resolve fully qualified domain names (FQDN) that are defined in a network object group, use the dns poll-timer command in global configuration mode. To remove the timer, use the no form of this command.

dns poll-timer minutes minutes

no dns poll-timer minutes minutes

 
Syntax Description

minutes minutes

Specifies the timer in minutes. Valid values are from 1 to 65535 minutes.

 
Defaults

By default, the DNS timer is 240 minutes or 4 hours.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(2)

This command was introduced.

 
Usage Guidelines

This command specifies the timer during which the ASA queries the DNS server to resolve the FQDN that was defined in a network object group. A FQDN is resolved periodically when the poll DNS timer has expired or when the TTL of the resolved IP entry has expired, whichever comes first.

This command has effect only when at least one network object group has been activated.

Examples

The following example sets the DNS poll timer to 240 minutes:

ciscoasa(config)# dns poll-timer minutes 240
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

dns server-group

Enters dns-server-group mode, in which you can configure a DNS server group.

show running-config dns-server group

Shows one or all the existing DNS server-group configurations.

dns update

To start DNS lookup to resolve the designated hostnames without waiting for the expiration of the DNS poll timer, use the dns update command in privileged EXEC mode.

dns update [ host fqdn_name ] [ timeout seconds seconds ]

 
Syntax Description

host fqdn_name

Specifies the fully qualified domain name of the host on which to run DNS updates.

timeout seconds seconds

Specifies the timeout in seconds.

 
Defaults

By default, the timeout is 30 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(2)

This command was introduced.

 
Usage Guidelines

This command immediately starts a DNS lookup to resolve the designated hostnames without waiting for the expiration of the DNS poll timer. When you run DNS update without specifying an option, all activated host groups and FQDN hosts are selected for DNS lookup. When the command finishes running, the ASA displays [Done] at the command prompt and generates a syslog message.

When the update operation starts, a starting update log is created. When the update operation finishes or is aborted after the timer has expired, another syslog message is generated. Only one outstanding DNS update operation is allowed. If you reissue the command, an error message appears.

Examples

The following example performs a DNS update:

ciscoasa# dns update
ciscoasa# …
ciscoasa# [Done] dns update
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

dns server-group

Enters dns-server-group mode, in which you can configure a DNS server group.

show running-config dns-server group

Shows one or all the existing DNS server group configurations.

dns-group

To specify the DNS server to use for a WebVPN tunnel group, use the dns-group command in tunnel-group webvpn configuration mode. To restore the default DNS group, use the no form of this command.

dns-group name

no dns-group

 
Syntax Description

name

Specifies the name of the DNS server group configuration to use for the tunnel group.

 
Defaults

The default value is DefaultDNS.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group webvpn-attributes configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The name can specify any DNS group. The dns-group command resolves the hostname to the appropriate DNS server for the tunnel group.

You configure the DNS group using the dns server-group command.

Examples

The following example shows a customization command that specifies the use of the DNS group named “dnsgroup1”:

ciscoasa(config)# tunnel-group test type webvpn
ciscoasa(config)# tunnel-group test webvpn-attributes
ciscoasa(config-tunnel-webvpn)# dns-group dnsgroup1
ciscoasa(config-tunnel-webvpn)#
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

dns server-group

Enters dns-server-group mode, in which you can configure a DNS server group.

show running-config dns-server group

Shows one or all the existing DNS server group configurations.

tunnel-group webvpn-attributes

Enters the config-webvpn mode for configuring WebVPN tunnel group attributes.

dns-guard

To enable the DNS guard function, which enforces one DNS response per query, use the dns-guard command in parameters configuration mode. To disable this feature, use the no form of this command.

dns-guard

no dns-guard

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

DNS guard is enabled by default. This feature can be enabled when the inspect dns command is configured even if a policy-map type inspect dns command is not defined. To disable, the no dns-guard command must explicitly be stated in the policy map configuration. If the inspect dns command is not configured, the behavior is determined by the global dns-guard command.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

The identification field in the DNS header is used to match the DNS response with the DNS header. One response per query is allowed through the ASA.

Examples

The following example shows how to enable DNS guard in a DNS inspection policy map:

ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# dns-guard
 

 
Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.

dns-server

To set the IP address of the primary and secondary DNS servers, use the dns-server command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command.

dns-server { value ip_address [ ip_address ] | none }

no dns-server

 
Syntax Description

none

Sets the dns-server command to a null value, thereby allowing no DNS servers. Prevents inheriting a value from a default or specified group policy.

value ip_address

Specifies the IP address of the primary and secondary DNS servers.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command allows inheritance of a DNS server from another group policy. To prevent inheriting a server, use the dns-server none command.

Each time you issue the dns-server command, you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same holds true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.

Examples

The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, and 10.10.10.45 for the group policy named FirstGroup.

ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# dns-server value 10.10.10.15 10.10.10.45
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

show running-config dns server-group

Shows the current running DNS server group configuration.

dns server-group

To specify the domain name, name server, number of retries, and timeout values for a DNS server to use for a tunnel group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.

dns server -group name

no dns server-group

 
Syntax Description

name

Specifies the name of the DNS server group configuration to use for the tunnel group.

 
Defaults

The default value is DefaultDNS.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The name can specify any DNS group. You configure the DNS group using the dns server-group command.

Examples

The following example configures a DNS server group named “eval”:

ciscoasa(config)# dns server-group eval
ciscoasa(config-dns-server-group)# domain-name cisco.com
ciscoasa(config-dns-server-group)# name-server 192.168.10.10
ciscoasa(config-dns-server-group)# retries 5
ciscoasa(config-dns-server-group)# timeout 7
ciscoasa(config-dns-server-group)#
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

show running-config dns server-group

Shows the current running DNS server group configuration.

domain-name

To set the default domain name, use the domain-name command in global configuration mode. To remove the domain name, use the no form of this command.

domain-name name

no domain-name [ name ]

 
Syntax Description

name

Sets the domain name, up to 63 characters.

 
Defaults

The default domain name is default.domain.invalid.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to “example.com” and specify a syslog server by the unqualified name of “jupiter,” then the ASA qualifies the name to “jupiter.example.com.” For multiple context mode, you can set the domain name for each context, as well as within the system execution space.

Examples

The following example sets the domain to example.com:

ciscoasa(config)# domain-name example.com
 

 
Related Commands

Command
Description

dns domain-lookup

Enables the ASA to perform a name lookup.

dns name-server

Identifies a DNS server for the ASA.

hostname

Sets the ASA hostname.

show running-config domain-name

Shows the domain name configuration.

domain-name (dns server-group)

To set the default domain name, use the domain-name command in dns server-group configuration mode. To remove the domain name, use the no form of this command.

domain-name name

no domain-name [ name ]

 
Syntax Description

name

Sets the domain name, up to 63 characters.

 
Defaults

The default domain name is default.domain.invalid.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Dns server-group configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.1(1)

This command replaces the dns domain-lookup command, which has been deprecated.

 
Usage Guidelines

The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to “example.com,” and specify a syslog server by the unqualified name of “jupiter,” then the ASA qualifies the name to “jupiter.example.com.” For multiple context mode, you can set the domain name for each context, as well as within the system execution space.

Examples

The following example sets the domain to “example.com” for “dnsgroup1”:

ciscoasa(config)# dns server-group dnsgroup1
ciscoasa(config-dns-server-group)# domain-name example.com
 

 
Related Commands

Command
Description

clear configure dns

Removes all DNS commands.

dns server-group

Enters dns-server-group configuration mode, in which you can configure a DNS server group.

domain-name

Sets the default domain name globally.

show running-config dns-server group

Shows one or all the current DNS server group configurations.

downgrade

To downgrade your software version, use the downgrade command in global configuration mode.

downgrade [ /noconfirm ] old_image_url old_config_url [ activation-key old_key ]

 
Syntax Description

activation-key old_key

(Optional) If you need to revert the activation key, then you can enter the old activation key.

old_config_url

Specifies the path to the saved, pre-migration configuration (by default this was saved on disk0).

old_image_url

Specifies the path to the old image on disk0, disk1, tftp, ftp, or smb.

/noconfirm

(Optional) Downgrades without prompting.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.3(1)

This command was introduced.

 
Usage Guidelines

This command is a shortcut for completing the following functions:

1. Clearing the boot image configuration ( clear configure boot ).

2. Setting the boot image to be the old image ( boot system ).

3. (Optional) Entering a new activation key ( activation-key ).

4. Saving the running configuration to startup ( write memory ). This sets the BOOT environment variable to the old image, so when you reload, the old image is loaded.

5. Copying the old configuration to the startup configuration ( copy old_config_url startup-config ).

6. Reloading ( reload ).

Examples

The following example downgrades without confirming:

ciscoasa(config)# downgrade /noconfirm disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav
 

 
Related Commands

Command
Description

activation-key

Enters an activation key.

boot system

Sets the image to boot from.

clear configure boot

Clears the boot image configuration.

copy startup-config

Copies a configuration to the startup configuration.

download-max-size

To specify the maximum size allowed for an object to download, use the download-max-size command in group-policy webvpn configuration mode. To remove this object from the configuration, use the no version of this command.

download-max-size size

no download-max-size

 
Syntax Description

size

Specifies the maximum size allowed for a downloaded object. The range is 0 through 2147483647.

 
Defaults

The default size is 2147483647.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy webvpn configuration mode

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

Setting the size to 0 effectively disallows object downloading.

Examples

The following example sets the maximum size for a downloaded object to 1500 bytes:

ciscoasa(config)# group-policy test attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# download-max-size 1500
 

 
Related Commands

Command
Description

post-max-size

Specifies the maximum size of an object to post.

upload-max-size

Specifies the maximum size of an object to upload.

webvpn

Use in group-policy configuration mode or in username configuration mode. Lets you enter webvpn mode to configure parameters that apply to group policies or usernames.

webvpn

Use in global configuration mode. Lets you configure global settings for WebVPN.

drop

To drop all packets that match the match command or class command, use the drop command in match or class configuration mode. To disable this action, use the no form of this command.

drop [ send-protocol-error ] [ log ]

no drop [ send-protocol-error ] [ log ]

 
Syntax Description

log

Logs the match. The syslog message number depends on the application.

send-protocol-error

Sends a protocol error message.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Match and class configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

When using the Modular Policy Framework, drop packets that match a match command or class map by using the drop command in match or class configuration mode. This drop action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action.

An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the drop command to drop all packets that match the match command or class command.

If you drop a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to drop the packet, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as dropping the packet, can occur. You can configure both the drop and the log action for the same match or class command, in which case the packet is logged before it is dropped for a given match.

When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect http http_policy_map command where http_policy_map is the name of the inspection policy map.

Examples

The following example drops packets and sends a log when they match the HTTP traffic class map. If the same packet also matches the second match command, it will not be processed because it was already dropped.

ciscoasa(config-cmap)# policy-map type inspect http http-map1
ciscoasa(config-pmap)# class http-traffic
ciscoasa(config-pmap-c)# drop log
ciscoasa(config-pmap-c)# match req-resp content-type mismatch
ciscoasa(config-pmap-c)# reset log
 

 
Related Commands

Commands
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

policy-map type inspect

Defines special actions for application inspection.

show running-config policy-map

Display all current policy map configurations.

drop-connection

When using the Modular Policy Framework, drop packets and close the connection for traffic that matches a match command or class map by using the drop-connection command in match or class configuration mode. To disable this action, use the no form of this command.

drop-connection [ send-protocol-error ] [ log ]

no drop-connection [ send-protocol-error ] [ log ]

 
Syntax Description

send-protocol-error

Sends a protocol error message.

log

Logs the match. The system log message number depends on the application.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Match and class configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

The connection will be removed from the connection database on the ASA. Any subsequent packets entering the ASA for the dropped connection will be discarded. This drop-connection action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the drop-connection command to drop packets and close the connection for traffic that matches the match command or class command.

If you drop a packet or close a connection, then no further actions are performed in the inspection policy map. For example, if the first action is to drop the packet and close the connection, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as dropping the packet, can occur. You can configure both the drop-connection and the log action for the same match or class command, in which case the packet is logged before it is dropped for a given match.

When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action. For example, enter the inspect http http_policy_map command, where http_policy_map is the name of the inspection policy map.

Examples

The following example drops packets, closes the connection, and sends a log when they match the http-traffic class map. If the same packet also matches the second match command, it will not be processed because it was already dropped.

ciscoasa(config-cmap)# policy-map type inspect http http-map1
ciscoasa(config-pmap)# class http-traffic
ciscoasa(config-pmap-c)# drop-connection log
ciscoasa(config-pmap-c)# match req-resp content-type mismatch
ciscoasa(config-pmap-c)# reset log
 

 
Related Commands

Commands
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

policy-map type inspect

Defines special actions for application inspection.

show running-config policy-map

Display all current policy map configurations.

dtls port

To specify a port for DTLS connections, use the dtls port command from webvpn configuration mode. To remove the command from the configuration, use the no form of this command:

dtls port number

no dtls port number

 
Syntax Description

number

The UDP port number, from 1 to 65535.

 
Defaults

The default port number is 443.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

This command specifies the UDP port to be used for SSL VPN connections using DTLS.

DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

Examples

The following example enters webvpn configuration mode and specifies port 444 for DTLS:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# dtls port 444
 

 
Related Commands

Command
Description

dtls enable

Enables DTLS on an interface.

svc dtls

Enables DTLS for groups or users establishing SSL VPN connections.

vpn-tunnel-protocol

Specifies VPN protocols that the ASA allows for remote access, including SSL.

duplex

To set the duplex of a copper (RJ-45) Ethernet interface, use the duplex command in interface configuration mode. To restore the duplex setting to the default, use the no form of this command.

duplex { auto | full | half }

no duplex

 
Syntax Description

auto

Auto-detects the duplex mode.

full

Sets the duplex mode to full duplex.

half

Sets the duplex mode to half duplex.

 
Defaults

The default is auto detect.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was moved from a keyword of the interface command to an interface configuration mode command.

 
Usage Guidelines

Set the duplex mode on the physical interface only.

The duplex command is not available for fiber media.

If your network does not support auto detection, set the duplex mode to a specific value.

For RJ-45 interfaces on the ASA 5500 series, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

If you set the duplex to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

Examples

The following example sets the duplex mode to full duplex:

ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# speed 1000
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
 

 
Related Commands

Command
Description

clear configure interface

Clears all configuration for an interface.

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show running-config interface

Shows the interface configuration.

speed

Sets the interface speed.

dynamic-access-policy-config

To configure a DAP record and the access policy attributes associated with it, use the dynamic-access-policy-config command in global configuration mode. To remove an existing DAP configuration, use the no form of this command.

dynamic-access-policy-config name | activate

no dynamic-access-policy-config

 
Syntax Description

activate

Activates the DAP selection configration file.

name

Specifies the name of the DAP record. The name can be up to 64 characters long and cannot contain spaces.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration (name)

  • Yes
  • Yes
  • Yes
  • Yes

Privileged EXEC (activate)

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

9.0(1)

Support for multiple context mode was added.

 
Usage Guidelines

Use the dynamic-access-policy-config command in global configuration mode to create one or more DAP records. To activate a DAP selection configuration file, use the dynamic-access-policy-config command with the activate argument.

When you use this command, you enter dynamic-access-policy-record mode, in which you can set attributes for the named DAP record. The commands you can use in dynamic-access-policy-record mode include the following:

  • action
  • description
  • network-acl
  • priority
  • user-message
  • webvpn

Examples

The following example shows how to configure the DAP record named user1:

ciscoasa(config)# dynamic-access-policy-config user1
ciscoasa(config-dynamic-access-policy-record)#

 
Related Commands

Command
Description

dynamic-access-policy-record

Populates the DAP record with access policy attributes.

show running-config dynamic-access-policy-record

Displays the running configuration for all DAP records, or for the named DAP record.

dynamic-access-policy-record

To create a DAP record and populate it with access policy attributes, use the dynamic-access-policy-record command in global configuration mode. To remove an existing DAP record, use the no form of this command.

dynamic-access-policy-record name

no dynamic-access-policy-record name

 
Syntax Description

name

Specifies the name of the DAP record. The name can be up to 64 characters long and cannot contain spaces.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

Use the dynamic-access-policy-record command in global configuration mode to create one or more DAP records. When you use this command, you enter dynamic-access-policy-record mode, in which you can set attributes for the named DAP record. The commands you can use in dynamic-access-policy-record mode include the following:

  • action ( continue , terminate , or quarantine )
  • description
  • network-acl
  • priority
  • user-message
  • webvpn

Examples

The following example shows how to create a DAP record named Finance.

ciscoasa(config)# dynamic-access-policy-record Finance
ciscoasa(config-dynamic-access-policy-record)#

 
Related Commands

Command
Description

clear config dynamic-access-policy-record

Removes all DAP records or the named DAP record.

dynamic-access-policy-config url

Configures the DAP Selection Configuration file.

show running-config dynamic-access-policy-record

Displays the running configuration for all DAP records, or for the named DAP record.

dynamic-authorization

To enable RADIUS dynamic authorization (change of authorization) services for the AAA server group, use the dynamic-authorization command in aaa-server host configuration mode. To disable dynamic authorization, use the no form of this command.

dynamic-authorization port number

no dynamic-authorization port number

 
Syntax Description

port port_number

(Optional) Specifies the dynamic authorization port on the ASA. It can range from 1 to 65535.

 
Defaults

The default RADIUS port is 1645. By default dynamic-authorization is not enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.1(2)

This command was introduced.

 
Usage Guidelines

Once defined, the corresponding RADIUS server group will be registered for CoA notification and the ASA will listen to the port for the CoA policy updates from ISE.

The following example shows how to add one RADIUS group with a single server:

ciscoasa(config)# aaa-server AuthOutbound protocol radius
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
ciscoasa(config-aaa-server-host)# key RadUauthKey
ciscoasa(config-aaa-server-host)# exit
 

The following example shows how to configure an ISE server object for authorization-only, dynamic authorization (CoA) updates, and hourly periodic accounting:

ciscoasa(config)# aaa-server ise protocol radius
ciscoasa(config-aaa-server-group)# authorize-only
ciscoasa(config-aaa-server-group)# interim-accounting-update periodic 1
ciscoasa(config-aaa-server-group)# dynamic-authorization
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config-aaa-server-group)# authorize-only
ciscoasa(config)# aaa-server ise (inside) host 10.1.1.3
ciscoasa(config-aaa-server-host)# key sharedsecret
ciscoasa(config-aaa-server-host)# exit
 

The following example shows how to configure a tunnel group for password authentication with ISE:

ciscoasa(config)# tunnel-group aaa-coa general-attributes
ciscoasa(config-tunnel-general)# address-pool vpn
ciscoasa(config-tunnel-general)# authentication-server-group ise
ciscoasa(config-tunnel-general)# accounting-server-group ise
ciscoasa(config-tunnel-general)# exit
 

The following example shows how to configure a tunnel group for local certificate validation and authorization with ISE:

ciscoasa(config)# tunnel-group aaa-coa general-attributes
ciscoasa(config-tunnel-general)# address-pool vpn
ciscoasa(config-tunnel-general)# authentication certificate
ciscoasa(config-tunnel-general)# authorization-server-group ise
ciscoasa(config-tunnel-general)# accounting-server-group ise
ciscoasa(config-tunnel-general)# exit
 

 
Related Commands

Command
Description

authorize-only

Enables authorize-only mode for the RADIUS server group.

interim-accounting-update

Enables the generation of RADIUS interim-accounting-update messages.

without-csd

Switches off hostscan processing for connections that are made to a specific tunnel-group.

dynamic-filter ambiguous-is-black

To treat Botnet Traffic Filter greylisted traffic as blacklisted traffic for dropping purposes, use the dynamic-filter ambiguous-is-black command in global configuration mode. To allow greylisted traffic, use the no form of this command.

dynamic-filter ambiguous-is-black

no dynamic-filter ambiguous-is-black

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

This command is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(2)

This command was introduced.

 
Usage Guidelines

If you configured the dynamic-filter enable command and then the dynamic-filter drop blacklist command, this command treats greylisted traffic as blacklisted traffic for dropping purposes. If you do not enable this command, greylisted traffic will not be dropped.

Ambiguous addresses are associated with multiple domain names, but not all of these domain names are on the blacklist. These addresses are on the greylist.

Examples

The following example monitors all port 80 traffic on the outside interface, and then drops blacklisted and greylisted traffic at a threat level of moderate or greater:

ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
ciscoasa(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
ciscoasa(config)# dynamic-filter drop blacklist interface outside
ciscoasa(config)# dynamic-filter ambiguous-is-black
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter blacklist

To edit the Botnet Traffic Filter blacklist, use the dynamic-filter blacklist command in global configuration mode. To remove the blacklist, use the no form of this command.

dynamic-filter blacklist

no dynamic-filter blacklist

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

After you enter the dynamic-filter blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a blacklist using the address and name commands. You can also enter names or IP addresses in a whitelist (see the dynamic-filter whitelist command), so that names or addresses that appear on both the dynamic blacklist and whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist.

Static blacklist entries are always designated with a Very High threat level.

When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache . (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping (see the inspect dns dynamic-filter-snooping command). The ASA uses Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names in the following circumstances:

  • The ASA DNS server is unavailable.
  • A connection is initiated during the 1-minute waiting period before the ASA sends the regular DNS request.

If DNS snooping is used, when an infected host sends a DNS request for a name on the static database, the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.

The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist.

If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that traffic will not be monitored by the Botnet Traffic Filter.


Note This command requires ASA use of a DNS server; see the dns domain-lookup and dns server-group commands.


Examples

The following example creates entries for the blacklist and whitelist:

ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# name bad1.example.com
ciscoasa(config-llist)# name bad2.example.com
ciscoasa(config-llist)# address 10.1.1.1 255.255.255.0
 
ciscoasa(config-llist)# dynamic-filter whitelist
ciscoasa(config-llist)# name good.example.com
ciscoasa(config-llist)# name great.example.com
ciscoasa(config-llist)# name awesome.example.com
ciscoasa(config-llist)# address 10.1.1.2 255.255.255.255
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter database fetch

To test the download of the dynamic database for the Botnet Traffic Filter, use the dynamic-filter database fetch command in privileged EXEC mode.

dynamic-filter database fetch

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The actual database is not stored on the ASA; it is downloaded and then discarded. Use this command for testing purposes only.

Examples

The following example tests the download of the dynamic database:

ciscoasa# dynamic-filter database fetch
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter database find

To check if a domain name or IP address is included in the dynamic database for the Botnet Traffic Filter, use the dynamic-filter database find command in privileged EXEC mode.

dynamic-filter database find string

 
Syntax Description

string

The string can be the complete domain name or IP address, or you can enter part of the name or address, with a minimum search string of 3 characters. Regular expressions are not supported for the database search.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

If there are multiple matches, the first two matches are shown. To refine your search for a more specific match, enter a longer string.

Examples

The following example searches on the string “example.com,” and finds one match:

ciscoasa# dynamic-filter database find bad.example.com
 
bad.example.com
Found 1 matches
 

The following example searches on the string “bad,” and finds more than two matches:

ciscoasa# dynamic-filter database find bad
 
bad.example.com
bad.example.net
Found more than 2 matches, enter a more specific string to find an exact
match
 

 
Related Commands

Command
Description

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter database purge

To manually delete the Botnet Traffic Filter dynamic database from running memory, use the dynamic-filter database purge command in privileged EXEC mode.

dynamic-filter database purge

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The database files are stored in running memory; they are not stored in flash memory. If you need to delete the database, use the dynamic-filter database purge command.

Before you can purge the database files, disable use of the database using the no dynamic-filter use-database command.

Examples

The following example disables use of the database, and then purges the database:

ciscoasa(config)# no dynamic-filter use-database
ciscoasa(config)# dynamic-filter database purge
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter drop blacklist

To automatically drop blacklisted traffic using the Botnet Traffic Filter, use the dynamic-filter drop blacklist command in global configuration mode. To disable the automatic dropping, use the no form of this command.

dynamic-filter drop blacklist [ interface name ] [ action-classify-list subset_access_list ] [ threat-level { eq level | range min max }]

no dynamic-filter drop blacklist [ interface name ] [ action-classify-list subset_access_list ] [ threat-level { eq level | range min max }]

 
Syntax Description

action-classify-list sub_access_list

(Optional) Identifies a subset of traffic that you want to drop . See the access-list extended command to create the access list.

The dropped traffic must always be equal to or a subset of the monitored traffic identified by the dynamic-filter enable command. For example, if you specify an access list for the dynamic-filter enable command, and you specify the action-classify-list for this command, then it must be a subset of the dynamic-filter enable access list.

interface name

(Optional) Limits monitoring to a specific interface. The dropped traffic must always be equal to or a subset of the monitored traffic identified by the dynamic-filter enable command.

Any interface-specific commands take precedence over the global command.

threat-level { eq level | range min max }

(Optional) Limits the traffic dropped by setting the threat level. If you do not explicitly set a threat level, the level used is threat-level range moderate very-high .

Note We highly recommend using the default setting unless you have strong reasons for changing the setting.

The level and min and max options are:

  • very-low
  • low
  • moderate
  • high
  • very-high

Note Static blacklist entries are always designated with a Very High threat level.

 
Defaults

This command is disabled by default.

The default threat level is threat-level range moderate very-high .

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(2)

This command was introduced.

 
Usage Guidelines

Be sure to first configure a dynamic-filter enable command for any traffic you want to drop; the dropped traffic must always be equal to or a subset of the monitored traffic.

You can enter this command multiple times for each interface and global policy. Make sure you do not specify overlapping traffic in multiple commands for a given interface/global policy. Because you cannot control the exact order that commands are matched, overlapping traffic means you do not know which command will be matched. For example, do not specify both a command that matches all traffic (without the action-classify-list keyword) as well as a command with the action-classify-list keyword for a given interface. In this case, the traffic might never match the command with the action-classify-list keyword. Similarly, if you specify multiple commands with the action-classify-list keyword, make sure each access list is unique, and that the networks do not overlap.

Examples

The following example monitors all port 80 traffic on the outside interface, and then drops traffic at a threat level of moderate or greater:

ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
ciscoasa(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
ciscoasa(config)# dynamic-filter drop blacklist interface outside
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter enable

To enable the Botnet Traffic Filter, use the dynamic-filter enable command in global configuration mode. To disable the Botnet Traffic Filter, use the no form of this command.

dynamic-filter enable [ interface name ] [ classify-list access_list ]

no dynamic-filter enable [ interface name ] [ classify-list access_list ]

 
Syntax Description

classify-list access_list

Identifies the traffic that you want to monitor using an extended access list (see the access-list extended command). If you do not create an access list, by default you monitor all traffic.

interface name

Limits monitoring to a specific interface.

 
Defaults

The Botnet Traffic Filter is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The Botnet Traffic Filter compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message or drops any matching traffic.

Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity. You can also supplement the dynamic database with a static database by entering IP addresses or domain names in a local “blacklist” or “whitelist.”

The DNS snooping is enabled separately (see the inspect dns dynamic-filter-snoop command). Typically, for maximum use of the Botnet Traffic Filter, you need to enable DNS snooping, but you can use Botnet Traffic Filter logging independently if desired. Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used.

Botnet Traffic Filter Address Categories

Addresses monitored by the Botnet Traffic Filter include:

  • Known malware addresses—These addresses are on the “blacklist.”
  • Known allowed addresses—These addresses are on the “whitelist.”
  • Ambiguous addresses—These addresses are associated with multiple domain names, but not all of these domain names are on the blacklist. These addresses are on the “greylist.”
  • Unlisted addresses—These addresses are unknown, and not included on any list.

Botnet Traffic Filter Actions for Known Addresses

You can configure the Botnet Traffic Filter to log suspicious activity using the dynamic-filter enable conmmand, and you can optionally configure it to block suspicious traffic automatically using the dynamic-filter drop blacklist command.

Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and greylist generate syslog messages differentiated by type. The Botnet Traffic Filter generates detailed syslog messages numbered 338 nnn . Messages differentiate between incoming and outgoing connections, blacklist, whitelist, or greylist addresses, and many other variables. (The greylist includes addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist.)

See the syslog messages guide for detailed information about syslog messages.

Examples

The following example monitors all port 80 traffic on the outside interface, and then drops traffic at a threat level of moderate or greater:

ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
ciscoasa(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
ciscoasa(config)# dynamic-filter drop blacklist interface outside
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter updater-client enable

To enable downloading of the dynamic database from the Cisco update server for the Botnet Traffic Filter, use the dynamic-filter updater-client enable command in global configuration mode. To disable downloading of the dynamic database, use the no form of this command.

dynamic-filter updater-client enable

no dynamic-filter updater-client enable

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

Downloading is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

If you do not have a database already installed on the ASA, it downloads the database after approximately 2 minutes. The update server determines how often the ASA polls the server for future updates, typically every hour.

The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update server.

This database lists thousands of known bad domain names and IP addresses. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic Filter adds the name and IP address to the DNS reverse lookup cache . When the infected host starts a connection to the IP address of the malware site, then the ASA sends a syslog message informing you of the suspicious activity.

To use the database, be sure to configure a domain name server for the ASA so that it can access the URL. To use the domain names in the dynamic database, you need to enable DNS packet inspection with Botnet Traffic Filter snooping; the ASA looks inside the DNS packets for the domain name and associated IP address.

In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs any traffic to that IP address without having to inspect DNS requests.

The database files are stored in running memory; they are not stored in flash memory. If you need to delete the database, use the dynamic-filter database purge command.


Note This command requires ASA use of a DNS server; see the dns domain-lookup and dns server-group commands.


Examples

The following multiple mode example enables downloading of the dynamic database, and enables use of the database in context1 and context2:

ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# changeto context context1
ciscoasa/context1(config)# dynamic-filter use-database
ciscoasa/context1(config)# changeto context context2
ciscoasa/context2(config)# dynamic-filter use-database
 

The following single mode example enables downloading of the dynamic database, and enables use of the database:

ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# dynamic-filter use-database
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns name-server

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter use-database

Enables use of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter use-database

To enable use of the dynamic database for the Botnet Traffic Filter, use the dynamic-filter use-database command in global configuration mode. To disable use of the dynamic database, use the no form of this command.

dynamic-filter use-database

no dynamic-filter use-database

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

Use of the database is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

Disabling use of the downloaded database is useful in multiple context mode, so you can configure use of the database on a per-context basis. To enable downloading of the dynamic database, see the dynamic-filter updater-client enable command.

Examples

The following multiple mode example enables downloading of the dynamic database, and enables use of the database in context1 and context2:

ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# changeto context context1
ciscoasa/context1(config)# dynamic-filter use-database
ciscoasa/context1(config)# changeto context context2
ciscoasa/context2(config)# dynamic-filter use-database
 

The following single mode example enables downloading of the dynamic database, and enables use of the database:

ciscoasa(config)# dynamic-filter updater-client enable
ciscoasa(config)# dynamic-filter use-database
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter whitelist

Edits the Botnet Traffic Filter whitelist.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.

dynamic-filter whitelist

To edit the Botnet Traffic Filter whitelist, use the dynamic-filter whitelist command in global configuration mode. To remove the whitelist, use the no form of this command.

dynamic-filter whitelist

no dynamic-filter whitelist

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The static database lets you augment the dynamic database with domain names or IP addresses that you want to whitelist. After you enter the dynamic-filter whitelist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as good names in a whitelist using the address and name commands. Names or addresses that appear on both the dynamic blacklist and static whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist. You can enter names or IP addresses in the static blacklist using the dynamic-filter blacklist command.

When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache . (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping (see the inspect dns dynamic-filter-snooping command). The ASA uses Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names in the following circumstances:

  • The ASA DNS server is unavailable.
  • A connection is initiated during the 1 minute waiting period before the ASA sends the regular DNS request.

If DNS snooping is used, when an infected host sends a DNS request for a name on the static database, the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.

If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that traffic will not be monitored by the Botnet Traffic Filter.


Note This command requires ASA use of a DNS server; see the dns domain-lookup and dns server-group commands.


Examples

The following example creates entries for the blacklist and whitelist:

ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# name bad1.example.com
ciscoasa(config-llist)# name bad2.example.com
ciscoasa(config-llist)# address 10.1.1.1 255.255.255.0
 
ciscoasa(config-llist)# dynamic-filter whitelist
ciscoasa(config-llist)# name good.example.com
ciscoasa(config-llist)# name great.example.com
ciscoasa(config-llist)# name awesome.example.com
ciscoasa(config-llist)# address 10.1.1.2 255.255.255.255
 

 
Related Commands

Command
Description

address

Adds an IP address to the blacklist or whitelist.

clear configure dynamic-filter

Clears the running Botnet Traffic Filter configuration.

clear dynamic-filter dns-snoop

Clears Botnet Traffic Filter DNS snooping data.

clear dynamic-filter reports

Clears Botnet Traffic filter report data.

clear dynamic-filter statistics

Clears Botnet Traffic filter statistics.

dns domain-lookup

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

dns server-group

Identifies a DNS server for the ASA.

dynamic-filter ambiguous-is-black

Treats greylisted traffic as blacklisted traffic for action purposes.

dynamic-filter blacklist

Edits the Botnet Traffic Filter blacklist.

dynamic-filter database fetch

Manually retrieves the Botnet Traffic Filter dynamic database.

dynamic-filter database find

Searches the dynamic database for a domain name or IP address.

dynamic-filter database purge

Manually deletes the Botnet Traffic Filter dynamic database.

dynamic-filter drop blacklist

Automatically drops blacklisted traffic.

dynamic-filter enable

Enables the Botnet Traffic Filter for a class of traffic or for all traffic if you do not specify an access list.

dynamic-filter updater-client enable

Enables downloading of the dynamic database.

dynamic-filter use-database

Enables use of the dynamic database.

inspect dns dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping.

name

Adds a name to the blacklist or whitelist.

show asp table dynamic-filter

Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.

show dynamic-filter data

Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries.

show dynamic-filter dns-snoop

Shows the Botnet Traffic Filter DNS snooping summary, or with the detail keyword, the actual IP addresses and names.

show dynamic-filter reports

Generates reports of the top 10 botnet sites, ports, and infected hosts.

show dynamic-filter statistics

Shows how many connections were monitored with the Botnet Traffic Filter, and how many of those connections match the whitelist, blacklist, and greylist.

show dynamic-filter updater-client

Shows information about the updater server, including the server IP address, the next time the ASA will connect with the server, and the database version last installed.

show running-config dynamic-filter

Shows the Botnet Traffic Filter running configuration.