STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ASA Firewall Security Technical Implementation Guide

V-239864

CAT I (High)

The Cisco ASA must be configured to implement scanning threat detection.

Rule ID

SV-239864r891328_rule

STIG

Cisco ASA Firewall Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-002385

Discussion

In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.

Check Content

NOTE: When operating the ASA in multi-context mode with a separate IDPS, threat detection cannot be enabled and this check is Not Applicable.

Review the ASA configuration to determine if scanning threat detection has been enabled.

threat-detection scanning-threat shun

NOTE: The parameter "shun" is an optional parameter in the Cisco documentation, but is required here to offer additional protection by dropping further connections from the threat.

If the ASA has not been configured to enable scanning threat detection, this is a finding.

Fix Text

Configure scanning threat detection as shown in the example below.

ASA(config)# threat-detection scanning-threat shun