Botnet C&C IP blocking
The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections
option in the CLI.
To configure botnet C&C IP blocking using the GUI:
- Go to Security Profiles > Intrusion Prevention.
- Edit an existing sensor, or create a new one.
- Navigate to the Botnet C&C section.
- For Scan Outgoing Connections to Botnet Sites, click Block or Monitor.
- Configure other settings as needed.
- Click Apply. Botnet C&C is now enabled for the sensor.
- Add this sensor to the firewall policy.
The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.
- Go to Log & Report > Intrusion Prevention to view the log.
To configure botnet C&C IP blocking using the CLI:
config ips sensor
edit "Demo"
set scan-botnet-connections <disable | block | monitor>
next
end
The
|
Botnet IPs and domains lists
To view botnet IPs and domains lists using the GUI:
- Go to System > FortiGuard. Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.
- Click View List for more details.
Botnet C&C domain blocking
To block connections to botnet domains using the GUI:
- Go to Security Profiles > DNS Filter.
- Edit an existing filter, or create a new one.
- Enable Redirect botnet C&C requests to Block Portal.
- Configure other settings as needed.
- Click OK.
- Add this filter profile to a firewall policy.
Botnet C&C URL blocking
To block malicious URLs using the GUI:
- Go to Security Profiles > Intrusion Prevention.
- Edit an existing sensor, or create a new one.
- Enable Block malicious URLs.
- Configure other settings as needed.
- Click OK.
- Add this sensor to a firewall policy.
Botnet C&C signature blocking
To add IPS signatures to a sensor using the GUI:
- Go to Security Profiles > Intrusion Prevention.
- Edit an existing sensor, or create a new one.
- In the IPS Signatures section, click Add Signatues. A list of available signatures appears.
- Select the signatures you want to include from the list.
- Click Use Selected Signatures.
- Configure other settings as needed.
- Add this sensor to a firewall policy to detect or block attacks that match the IPS signatures.