How do I force my ASA 5510 to ignore ASA SYN scans from internal servers?

Hello All,

I manage a network that has Quintum devices that provide analogue to SIP conversion. The ASA 5510 is constantly flagging this device as sending SYN scans. The Quintum is on an internal trusted DMZ (through the ASA 5510). How do I force the ASA to ignore this particular device as it relates to SYN scanning. In other words I don't want the ASA to monitor or flag this device as related to SYN attacks.

Thanks in advance.
QuintumUserAsked:
Who is Participating?
 
JZeollaCommented:
It could be, if the IP is legitimate traffic.  My assumption is that your Quintum device is getting inadvertently shunned.
0
 
RafaelCommented:
Have you looked at putting it into a group and then trusting the group or block it altogether in the policies ?
0
 
JZeollaCommented:
Tune your firewall by adjusting (raising) the threat-detection average-rate and burst-rates.  

threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45    

This says that I will only shun syn-attacks which average 30 SYNs per second over 600 seconds, or shun them immediately if they hit 45 SYNs per second.  


Does this answer your question?
0
 
QuintumUserAuthor Commented:
Rcaballerojr, I am not sure how to put in a group to exclude the firewall from looking for Syn scans.

JZeolla, I will try to adjust the thresholds to see if that helps. When an IP is shunned will that affect my device negatively?

Thanks for the responses
0
 
QuintumUserAuthor Commented:
Setting threshholds took care of it, thanks!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.