Fortinet white logo
Fortinet white logo

Administration Guide

IPS with botnet C&C IP blocking

IPS with botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking in the GUI:
  1. Go to Security Profiles > Intrusion Prevention, and click Create New to create a new IPS sensor, or double-click an existing IPS sensor to open it for editing.
  2. Navigate to the Botnet C&C section.
  3. For Scan Outgoing Connections to Botnet Sites, select Block or Monitor.

  4. Configure the other settings as needed.
  5. Click OK to save the IPS sensor.
  6. Add the IPS sensor to a firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP address, an IPS log is generated for this attack.

  7. Go to Log & Report > Security Events and click the Intrusion Prevention card to view the log.
To configure botnet C&C IP blocking in the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections {disable | block | monitor}

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer
Sample log
# execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2022-04-28 time=16:18:34 eventtime=1651187914585406621 tz="-0700" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="vd1" msg="Botnet C&C Communication." severity="critical" srcip=10.1.100.11 srccountry="Reserved" dstip=2.58.149.169 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=894198 action="dropped" srcport=41798 dstport=80 proto=6 service="HTTP" policyid=1 profile="sensor-1" direction="outgoing" attack="Loki" attackid=7630239 ref="http://www.fortinet.com/be?bid=7630239" crscore=50 craction=4 crlevel="critical"

Botnet IPs and domains lists

To view botnet IPs and domains lists:
  1. Go to System > FortiGuard.
  2. Expand License Information > Intrusion Prevention to view Botnet IPs and Botnet Domains information.
  3. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains:
  1. Go to Security Profiles > DNS Filter, and click Create New, or double-click an existing filter to open it for editing.
  2. Enable Redirect botnet C&C requests to Block Portal.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the filter profile to a firewall policy.

Botnet C&C URL blocking

To block malicious URLs:
  1. Go to Security Profiles > Intrusion Prevention, and click Create New, or double-click an existing filter to open it for editing.
  2. Enable Block malicious URLs.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor:
  1. Go to Security Profiles > Intrusion Prevention, and click Create New, or double-click an existing sensor to open it for editing.
  2. In the IPS Signatures and Filters section, click Create New. A list of available signatures appears.
  3. For Type, select Signature. Select the signatures you want to include from the list.
  4. Configure the other settings as needed.
  5. Click Add Selected.

  6. Click OK to add the IPS signatures to the IPS sensor.
  7. Click OK to save the IPS sensor.
  8. Add the sensor to a firewall policy to detect or block attacks that match the IPS signatures.

Related Videos

sidebar video

Botnet C&C in Intrusion Prevention Systems

  • 2,701 views
  • 5 years ago

IPS with botnet C&C IP blocking

IPS with botnet C&C IP blocking

The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI, or by the scan-botnet-connections option in the CLI.

To configure botnet C&C IP blocking in the GUI:
  1. Go to Security Profiles > Intrusion Prevention, and click Create New to create a new IPS sensor, or double-click an existing IPS sensor to open it for editing.
  2. Navigate to the Botnet C&C section.
  3. For Scan Outgoing Connections to Botnet Sites, select Block or Monitor.

  4. Configure the other settings as needed.
  5. Click OK to save the IPS sensor.
  6. Add the IPS sensor to a firewall policy.

    The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP address, an IPS log is generated for this attack.

  7. Go to Log & Report > Security Events and click the Intrusion Prevention card to view the log.
To configure botnet C&C IP blocking in the CLI:

config ips sensor

edit "Demo"

set scan-botnet-connections {disable | block | monitor}

next

end

Note

The scan-botnet-connections option is no longer available in the following CLI commands:

  • config firewall policy
  • config firewall interface-policy
  • config firewall proxy-policy
  • config firewall sniffer
Sample log
# execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2022-04-28 time=16:18:34 eventtime=1651187914585406621 tz="-0700" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="vd1" msg="Botnet C&C Communication." severity="critical" srcip=10.1.100.11 srccountry="Reserved" dstip=2.58.149.169 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=894198 action="dropped" srcport=41798 dstport=80 proto=6 service="HTTP" policyid=1 profile="sensor-1" direction="outgoing" attack="Loki" attackid=7630239 ref="http://www.fortinet.com/be?bid=7630239" crscore=50 craction=4 crlevel="critical"

Botnet IPs and domains lists

To view botnet IPs and domains lists:
  1. Go to System > FortiGuard.
  2. Expand License Information > Intrusion Prevention to view Botnet IPs and Botnet Domains information.
  3. Click View List for more details.

Botnet C&C domain blocking

To block connections to botnet domains:
  1. Go to Security Profiles > DNS Filter, and click Create New, or double-click an existing filter to open it for editing.
  2. Enable Redirect botnet C&C requests to Block Portal.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the filter profile to a firewall policy.

Botnet C&C URL blocking

To block malicious URLs:
  1. Go to Security Profiles > Intrusion Prevention, and click Create New, or double-click an existing filter to open it for editing.
  2. Enable Block malicious URLs.

  3. Configure the other settings as needed.
  4. Click OK.
  5. Add the sensor to a firewall policy.

Botnet C&C signature blocking

To add IPS signatures to a sensor:
  1. Go to Security Profiles > Intrusion Prevention, and click Create New, or double-click an existing sensor to open it for editing.
  2. In the IPS Signatures and Filters section, click Create New. A list of available signatures appears.
  3. For Type, select Signature. Select the signatures you want to include from the list.
  4. Configure the other settings as needed.
  5. Click Add Selected.

  6. Click OK to add the IPS signatures to the IPS sensor.
  7. Click OK to save the IPS sensor.
  8. Add the sensor to a firewall policy to detect or block attacks that match the IPS signatures.