IPS with botnet C&C IP blocking
The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections
option in the CLI.
To configure botnet C&C IP blocking in the GUI:
-
Go to Security Profiles > Intrusion Prevention, and click Create New to create a new IPS sensor, or double-click an existing IPS sensor to open it for editing.
-
Navigate to the Botnet C&C section.
-
For Scan Outgoing Connections to Botnet Sites, select Block or Monitor.
-
Configure the other settings as needed.
-
Click OK to save the IPS sensor.
-
Add the IPS sensor to a firewall policy.
The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP address, an IPS log is generated for this attack.
-
Go to Log & Report > Security Events and click the Intrusion Prevention card to view the log.
To configure botnet C&C IP blocking in the CLI:
config ips sensor
edit "Demo"
set scan-botnet-connections {disable | block | monitor}
next
end
The
|
Sample log
# execute log filter category 4 # execute log display 1 logs found. 1 logs returned. 1: date=2022-04-28 time=16:18:34 eventtime=1651187914585406621 tz="-0700" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="vd1" msg="Botnet C&C Communication." severity="critical" srcip=10.1.100.11 srccountry="Reserved" dstip=2.58.149.169 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=894198 action="dropped" srcport=41798 dstport=80 proto=6 service="HTTP" policyid=1 profile="sensor-1" direction="outgoing" attack="Loki" attackid=7630239 ref="http://www.fortinet.com/be?bid=7630239" crscore=50 craction=4 crlevel="critical"
Botnet IPs and domains lists
To view botnet IPs and domains lists:
-
Go to System > FortiGuard.
-
Expand License Information > Intrusion Prevention to view Botnet IPs and Botnet Domains information.
-
Click View List for more details.
Botnet C&C domain blocking
To block connections to botnet domains:
-
Go to Security Profiles > DNS Filter, and click Create New, or double-click an existing filter to open it for editing.
-
Enable Redirect botnet C&C requests to Block Portal.
-
Configure the other settings as needed.
-
Click OK.
-
Add the filter profile to a firewall policy.
Botnet C&C URL blocking
To block malicious URLs:
-
Go to Security Profiles > Intrusion Prevention, and click Create New, or double-click an existing filter to open it for editing.
-
Enable Block malicious URLs.
-
Configure the other settings as needed.
-
Click OK.
-
Add the sensor to a firewall policy.
Botnet C&C signature blocking
To add IPS signatures to a sensor:
-
Go to Security Profiles > Intrusion Prevention, and click Create New, or double-click an existing sensor to open it for editing.
-
In the IPS Signatures and Filters section, click Create New. A list of available signatures appears.
-
For Type, select Signature. Select the signatures you want to include from the list.
-
Configure the other settings as needed.
-
Click Add Selected.
-
Click OK to add the IPS signatures to the IPS sensor.
-
Click OK to save the IPS sensor.
-
Add the sensor to a firewall policy to detect or block attacks that match the IPS signatures.