Move Botnet C&C into IPS Profile
Security Profiles > Intrusion Prevention has a new Botnet C&C option. This option consolidates multiple botnet options into a single option in the IPS Profile so that in one place, you can enable botnet blocking across all traffic that match the policy.
The new Security Profiles > Intrusion Prevention > Botnet C&C option replaces and enhances the old Network Interfaces > Scan Outgoing Connections to Botnet Sites option.
To configure Botnet C&C IP blocking using the GUI:
- Go to Security Profiles > Intrusion Prevention and enable Botnet C&C by setting Scan Outgoing Connections to Botnet Sites to Block or Monitor.
- Add the above sensor to the firewall policy and the IPS engine will start to scan outgoing connections to botnet sites.
For example, visit a botnet IP and an IPS log is generated for this attack.
To configure Botnet C&C IP blocking using the CLI:
config ips sensor now has a new scan-botnet-connections option.
config ips sensor
edit "Demo"
set scan-botnet-connections <disable | block | monitor>
next
end
|
The
|
Botnet IPs and Botnet Domains moved to Intrusion Prevention section
In System > FortiGuard , Botnet IPs and Botnet Domains are now in the Intrusion Prevention section.
Botnet C&C Domain Blocking
There are no changes from version 6.0.4 in configuring Security Profiles > DNS Filter > Redirect botnet C&C requests to Block Portal. Add the profile to a firewall policy to block connections to Botnet domains.
Botnet C&C URL Blocking
There are no changes from version 6.0.4 in configuring Security Profiles > Intrusion Prevention > Block malicious URLs. Enable Block malicious URLs in IPS Sensor and then add the sensor to a firewall policy.
Botnet C&C Signature Blocking
In this version and version 6.0.4, there are IPS signatures for botnet attacks. Include these signatures in IPS Sensor and then add the sensor to a firewall policy to detect or block attacks matching the IPS signatures.
