Botnet C&C IP blocking
The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections
option in the CLI.
To configure botnet C&C IP blocking using the GUI:
- Go to Security Profiles > Intrusion Prevention.
- Edit an existing sensor, or create a new one.
- Set Scan Outgoing Connections to Botnet Sites to Block or Monitor.
- Configure other settings as required .
- Click Apply. Botnet C&C is now enabled for the sensor.
- Add this sensor to the firewall policy.
The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.
- Go to Log & Report > Intrusion Prevention to view the log.
To configure botnet C&C IP blocking using the CLI:
config ips sensor
edit "Demo"
set scan-botnet-connections {block | monitor}
next
end
The
|
Botnet IPs and domains lists
To view botnet IPs and domains lists using the GUI:
- Go to System > FortiGuard . Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.
- Click View List for more details.
Botnet C&C domain blocking
To block connections to botnet domains using the GUI:
- Go to Security Profiles > DNS Filter.
- Edit an existing filter, or create a new one.
- Enable Redirect botnet C&C requests to Block Portal.
- Configure other settings as required.
- Click OK.
- Add this filter profile to a firewall policy.
Botnet C&C URL blocking
Blocking malicious URLs is not supported on FortiGate 51E, 50E, or 30E models. |
To block malicious URLs using the GUI:
- Go to Security Profiles > Intrusion Prevention.
- Edit an existing sensor, or create a new one.
- Enable Block malicious URLs.
- Configure other settings as needed.
- Click OK.
- Add this sensor to a firewall policy.
Botnet C&C signature blocking
To add IPS signatures to a sensor using the GUI:
- Go to Security Profiles > Intrusion Prevention.
- Edit an existing sensor, or create a new one.
- In the and FiltersIPS Signatures section, click Create New.
- Set Type to Signature.
- Select the signatures you want to include from the list.
- Configure the other settings as required.
- Click OK.
- Configure other settings as required, then click OK.
- Add this sensor to a firewall policy to detect or block attacks that match the IPS signatures.