Fortinet white logo
Fortinet white logo

Cookbook

Botnet C&C IP blocking

Botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Set Scan Outgoing Connections to Botnet Sites to Block or Monitor.

  4. Configure other settings as required .
  5. Click Apply. Botnet C&C is now enabled for the sensor.
  6. Add this sensor to the firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.

  7. Go to Log & Report > Intrusion Prevention to view the log.
To configure botnet C&C IP blocking using the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections {block | monitor}

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer

Botnet IPs and domains lists

To view botnet IPs and domains lists using the GUI:
  1. Go to System > FortiGuard . Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.

  2. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains using the GUI:
  1. Go to Security Profiles > DNS Filter.
  2. Edit an existing filter, or create a new one.
  3. Enable Redirect botnet C&C requests to Block Portal.

  4. Configure other settings as required.
  5. Click OK.
  6. Add this filter profile to a firewall policy.

Botnet C&C URL blocking

Note

Blocking malicious URLs is not supported on FortiGate 51E, 50E, or 30E models.

To block malicious URLs using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Enable Block malicious URLs.

  4. Configure other settings as needed.
  5. Click OK.
  6. Add this sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. In the and FiltersIPS Signatures section, click Create New.
  4. Set Type to Signature.
  5. Select the signatures you want to include from the list.
  6. Configure the other settings as required.

  7. Click OK.
  8. Configure other settings as required, then click OK.
  9. Add this sensor to a firewall policy to detect or block attacks that match the IPS signatures.

Related Videos

sidebar video

Botnet C&C in Intrusion Prevention Systems

  • 2,699 views
  • 5 years ago

Botnet C&C IP blocking

Botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Set Scan Outgoing Connections to Botnet Sites to Block or Monitor.

  4. Configure other settings as required .
  5. Click Apply. Botnet C&C is now enabled for the sensor.
  6. Add this sensor to the firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.

  7. Go to Log & Report > Intrusion Prevention to view the log.
To configure botnet C&C IP blocking using the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections {block | monitor}

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer

Botnet IPs and domains lists

To view botnet IPs and domains lists using the GUI:
  1. Go to System > FortiGuard . Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.

  2. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains using the GUI:
  1. Go to Security Profiles > DNS Filter.
  2. Edit an existing filter, or create a new one.
  3. Enable Redirect botnet C&C requests to Block Portal.

  4. Configure other settings as required.
  5. Click OK.
  6. Add this filter profile to a firewall policy.

Botnet C&C URL blocking

Note

Blocking malicious URLs is not supported on FortiGate 51E, 50E, or 30E models.

To block malicious URLs using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. Enable Block malicious URLs.

  4. Configure other settings as needed.
  5. Click OK.
  6. Add this sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor using the GUI:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Edit an existing sensor, or create a new one.
  3. In the and FiltersIPS Signatures section, click Create New.
  4. Set Type to Signature.
  5. Select the signatures you want to include from the list.
  6. Configure the other settings as required.

  7. Click OK.
  8. Configure other settings as required, then click OK.
  9. Add this sensor to a firewall policy to detect or block attacks that match the IPS signatures.