IPS with botnet C&C IP blocking
The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections
option in the CLI.
To configure botnet C&C IP blocking in the GUI:
- Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
- Navigate to the Botnet C&C section.
- For Scan Outgoing Connections to Botnet Sites, select Block or Monitor.
- Configure the other settings as needed.
- Click OK.
- Add the sensor to a firewall policy.
The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.
- Go to Log & Report > Intrusion Prevention to view the log.
To configure botnet C&C IP blocking in the CLI:
config ips sensor
edit "Demo"
set scan-botnet-connections {disable | block | monitor}
next
end
The
|
Sample log
# execute log filter category 4 # execute log display 1 logs found. 1 logs returned. 1: date=2022-04-28 time=16:18:34 eventtime=1651187914585406621 tz="-0700" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="vd1" msg="Botnet C&C Communication." severity="critical" srcip=10.1.100.11 srccountry="Reserved" dstip=2.58.149.169 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=894198 action="dropped" srcport=41798 dstport=80 proto=6 service="HTTP" policyid=1 profile="sensor-1" direction="outgoing" attack="Loki" attackid=7630239 ref="http://www.fortinet.com/be?bid=7630239" crscore=50 craction=4 crlevel="critical"
Botnet IPs and domains lists
To view botnet IPs and domains lists:
- Go to System > FortiGuard. Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.
- Click View List for more details.
Botnet C&C domain blocking
To block connections to botnet domains:
- Go to Security Profiles > DNS Filter and click Create New, or edit an existing filter.
- Enable Redirect botnet C&C requests to Block Portal.
- Configure the other settings as needed.
- Click OK.
- Add the filter profile to a firewall policy.
Botnet C&C URL blocking
To block malicious URLs:
- Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
- Enable Block malicious URLs.
- Configure the other settings as needed.
- Click OK.
- Add the sensor to a firewall policy.
Botnet C&C signature blocking
To add IPS signatures to a sensor:
- Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
- In the IPS Signatures and Filters section, click Create New. A list of available signatures appears.
- For Type, select Signature. Select the signatures you want to include from the list.
- Configure the other settings as needed.
- Click Add Selected.
- Click OK.
- Add the sensor to a firewall policy to detect or block attacks that match the IPS signatures.