Fortinet black logo

Cookbook

Botnet C&C IP blocking

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:668865
Download PDF

Botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Navigate to the Botnet C&C section.
  4. For Scan Outgoing Connections to Botnet Sites, click Block or Monitor.

  5. Configure other settings as needed.
  6. Click Apply. Botnet C&C is now enabled for the sensor.
  7. Add this sensor to the firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.

  8. Go to Log & Report > Intrusion Prevention to view the log.

To configure botnet C&C IP blocking using the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections <disable | block | monitor>

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer

Botnet IPs and domains lists

To view botnet IPs and domains lists using the GUI:
  1. Go to System > FortiGuard . Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.
  2. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains using the GUI:
  1. Go to Security Profiles > DNS Filter.
  2. Edit an existing filter, or create a new one.
  3. Enable Redirect botnet C&C requests to Block Portal.

  4. Configure other settings as needed.
  5. Click OK.
  6. Add this filter profile to a firewall policy.

Botnet C&C URL blocking

To block malicious URLs using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Enable Block malicious URLs.

  4. Configure other settings as needed.
  5. Click OK.
  6. Add this sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. In the IPS Signatures section, click Add Signatues. A list of available signatures appears.
  4. Select the signatures you want to include from the list.
  5. Click Use Selected Signatures.

  6. Configure other settings as needed.
  7. Add this sensor to a firewall policy to detect or block attacks that match the IPS signatures.

Related Videos

sidebar video

Botnet C&C in Intrusion Prevention Systems

  • 2,538 views
  • 5 years ago

Botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Navigate to the Botnet C&C section.
  4. For Scan Outgoing Connections to Botnet Sites, click Block or Monitor.

  5. Configure other settings as needed.
  6. Click Apply. Botnet C&C is now enabled for the sensor.
  7. Add this sensor to the firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.

  8. Go to Log & Report > Intrusion Prevention to view the log.

To configure botnet C&C IP blocking using the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections <disable | block | monitor>

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer

Botnet IPs and domains lists

To view botnet IPs and domains lists using the GUI:
  1. Go to System > FortiGuard . Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.
  2. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains using the GUI:
  1. Go to Security Profiles > DNS Filter.
  2. Edit an existing filter, or create a new one.
  3. Enable Redirect botnet C&C requests to Block Portal.

  4. Configure other settings as needed.
  5. Click OK.
  6. Add this filter profile to a firewall policy.

Botnet C&C URL blocking

To block malicious URLs using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Enable Block malicious URLs.

  4. Configure other settings as needed.
  5. Click OK.
  6. Add this sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. In the IPS Signatures section, click Add Signatues. A list of available signatures appears.
  4. Select the signatures you want to include from the list.
  5. Click Use Selected Signatures.

  6. Configure other settings as needed.
  7. Add this sensor to a firewall policy to detect or block attacks that match the IPS signatures.