Botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking in the GUI:
  1. Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
  2. Navigate to the Botnet C&C section.
  3. For Scan Outgoing Connections to Botnet Sites, select Block or Monitor.

  4. Configure the other settings as needed.
  5. Click OK.
  6. Add the sensor to a firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.

  7. Go to Log & Report > Intrusion Prevention to view the log.

To configure botnet C&C IP blocking in the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections {disable | block | monitor}

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer