Fortinet Document Library

Version:


Table of Contents

Related Videos

Botnet C&C in Intrusion Prevention Systems

  • 674 views
  • 6 months ago

New Features

6.2.0
Download PDF
Copy Link

Move Botnet C&C into IPS Profile

Security Profiles > Intrusion Prevention has a new Botnet C&C option. This option consolidates multiple botnet options into a single option in the IPS Profile so that in one place, you can enable botnet blocking across all traffic that match the policy.

The new Security Profiles > Intrusion Prevention > Botnet C&C option replaces and enhances the old Network Interfaces > Scan Outgoing Connections to Botnet Sites option.

To configure Botnet C&C IP blocking using the GUI:
  1. Go to Security Profiles > Intrusion Prevention and enable Botnet C&C by setting Scan Outgoing Connections to Botnet Sites to Block or Monitor.

  2. Add the above sensor to the firewall policy and the IPS engine will start to scan outgoing connections to botnet sites.

    For example, visit a botnet IP and an IPS log is generated for this attack.

To configure Botnet C&C IP blocking using the CLI:

config ips sensor now has a new scan-botnet-connections option.

config ips sensor

edit "Demo"

set scan-botnet-connections <disable | block | monitor>

next

end

Note

The scan-botnet-connections command is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer

Botnet IPs and Botnet Domains moved to Intrusion Prevention section

In System > FortiGuard , Botnet IPs and Botnet Domains are now in the Intrusion Prevention section.

Botnet C&C Domain Blocking

There are no changes from version 6.0.4 in configuring Security Profiles > DNS Filter > Redirect botnet C&C requests to Block Portal. Add the profile to a firewall policy to block connections to Botnet domains.

Botnet C&C URL Blocking

There are no changes from version 6.0.4 in configuring Security Profiles > Intrusion Prevention > Block malicious URLs. Enable Block malicious URLs in IPS Sensor and then add the sensor to a firewall policy.

Botnet C&C Signature Blocking

In this version and version 6.0.4, there are IPS signatures for botnet attacks. Include these signatures in IPS Sensor and then add the sensor to a firewall policy to detect or block attacks matching the IPS signatures.

Related Videos

Botnet C&C in Intrusion Prevention Systems

  • 674 views
  • 6 months ago

Move Botnet C&C into IPS Profile

Security Profiles > Intrusion Prevention has a new Botnet C&C option. This option consolidates multiple botnet options into a single option in the IPS Profile so that in one place, you can enable botnet blocking across all traffic that match the policy.

The new Security Profiles > Intrusion Prevention > Botnet C&C option replaces and enhances the old Network Interfaces > Scan Outgoing Connections to Botnet Sites option.

To configure Botnet C&C IP blocking using the GUI:
  1. Go to Security Profiles > Intrusion Prevention and enable Botnet C&C by setting Scan Outgoing Connections to Botnet Sites to Block or Monitor.

  2. Add the above sensor to the firewall policy and the IPS engine will start to scan outgoing connections to botnet sites.

    For example, visit a botnet IP and an IPS log is generated for this attack.

To configure Botnet C&C IP blocking using the CLI:

config ips sensor now has a new scan-botnet-connections option.

config ips sensor

edit "Demo"

set scan-botnet-connections <disable | block | monitor>

next

end

Note

The scan-botnet-connections command is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer

Botnet IPs and Botnet Domains moved to Intrusion Prevention section

In System > FortiGuard , Botnet IPs and Botnet Domains are now in the Intrusion Prevention section.

Botnet C&C Domain Blocking

There are no changes from version 6.0.4 in configuring Security Profiles > DNS Filter > Redirect botnet C&C requests to Block Portal. Add the profile to a firewall policy to block connections to Botnet domains.

Botnet C&C URL Blocking

There are no changes from version 6.0.4 in configuring Security Profiles > Intrusion Prevention > Block malicious URLs. Enable Block malicious URLs in IPS Sensor and then add the sensor to a firewall policy.

Botnet C&C Signature Blocking

In this version and version 6.0.4, there are IPS signatures for botnet attacks. Include these signatures in IPS Sensor and then add the sensor to a firewall policy to detect or block attacks matching the IPS signatures.