Fortinet white logo
Fortinet white logo

Administration Guide

IPS with botnet C&C IP blocking

IPS with botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking in the GUI:
  1. Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
  2. Navigate to the Botnet C&C section.
  3. For Scan Outgoing Connections to Botnet Sites, select Block or Monitor.

  4. Configure the other settings as needed.
  5. Click OK.
  6. Add the sensor to a firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.

  7. Go to Log & Report > Intrusion Prevention to view the log.
To configure botnet C&C IP blocking in the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections {disable | block | monitor}

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer
Sample log
# execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2022-04-28 time=16:18:34 eventtime=1651187914585406621 tz="-0700" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="vd1" msg="Botnet C&C Communication." severity="critical" srcip=10.1.100.11 srccountry="Reserved" dstip=2.58.149.169 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=894198 action="dropped" srcport=41798 dstport=80 proto=6 service="HTTP" policyid=1 profile="sensor-1" direction="outgoing" attack="Loki" attackid=7630239 ref="http://www.fortinet.com/be?bid=7630239" crscore=50 craction=4 crlevel="critical"

Botnet IPs and domains lists

To view botnet IPs and domains lists:
  1. Go to System > FortiGuard. Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.
  2. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing filter.
  2. Enable Redirect botnet C&C requests to Block Portal.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the filter profile to a firewall policy.

Botnet C&C URL blocking

To block malicious URLs:
  1. Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
  2. Enable Block malicious URLs.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor:
  1. Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
  2. In the IPS Signatures and Filters section, click Create New. A list of available signatures appears.
  3. For Type, select Signature. Select the signatures you want to include from the list.
  4. Configure the other settings as needed.
  5. Click Add Selected.

  6. Click OK.
  7. Add the sensor to a firewall policy to detect or block attacks that match the IPS signatures.

Related Videos

sidebar video

Botnet C&C in Intrusion Prevention Systems

  • 2,699 views
  • 5 years ago

IPS with botnet C&C IP blocking

IPS with botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking in the GUI:
  1. Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
  2. Navigate to the Botnet C&C section.
  3. For Scan Outgoing Connections to Botnet Sites, select Block or Monitor.

  4. Configure the other settings as needed.
  5. Click OK.
  6. Add the sensor to a firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack.

  7. Go to Log & Report > Intrusion Prevention to view the log.
To configure botnet C&C IP blocking in the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections {disable | block | monitor}

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer
Sample log
# execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2022-04-28 time=16:18:34 eventtime=1651187914585406621 tz="-0700" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="vd1" msg="Botnet C&C Communication." severity="critical" srcip=10.1.100.11 srccountry="Reserved" dstip=2.58.149.169 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=894198 action="dropped" srcport=41798 dstport=80 proto=6 service="HTTP" policyid=1 profile="sensor-1" direction="outgoing" attack="Loki" attackid=7630239 ref="http://www.fortinet.com/be?bid=7630239" crscore=50 craction=4 crlevel="critical"

Botnet IPs and domains lists

To view botnet IPs and domains lists:
  1. Go to System > FortiGuard. Botnet IPs and Botnet Domains are visible in the Intrusion Prevention section.
  2. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains:
  1. Go to Security Profiles > DNS Filter and click Create New, or edit an existing filter.
  2. Enable Redirect botnet C&C requests to Block Portal.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the filter profile to a firewall policy.

Botnet C&C URL blocking

To block malicious URLs:
  1. Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
  2. Enable Block malicious URLs.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor:
  1. Go to Security Profiles > Intrusion Prevention and click Create New, or edit an existing sensor.
  2. In the IPS Signatures and Filters section, click Create New. A list of available signatures appears.
  3. For Type, select Signature. Select the signatures you want to include from the list.
  4. Configure the other settings as needed.
  5. Click Add Selected.

  6. Click OK.
  7. Add the sensor to a firewall policy to detect or block attacks that match the IPS signatures.