Description
This article describes how to block Botnet C&C connections.
Solution
In V5.6 & V6.0 firmware versions on GUI:
1) Botnet C&C connections are blocked through the specific interfaces; it is possible to enable the Scan Outgoing Connections to Botnet Sites either Block or Monitor.
Go to Firewall -> Network -> Interfaces
Edit the interface where it is require to enable (Mostly these connections will hit on the external interface so enable it on Internet connected interface)
2) Screenshot of applying the Botnet C&C connections on WAN interface of the firewall (Click on botnet package and it is possible to see the list of IP details)
In V6.2 firmware Version on GUI:
1) C&C settings has been changed from Interface to Intrusion Prevention profile.
Go to Security Profiles -> Intrusion Prevention
Enable Botnet C&C by setting Scan Outgoing Connections to Botnet Sites to Block or Monitor.
Screenshot of the IPS profile configuration:
2) To apply the profile in the policy go to Policy&Objects -> IPv4 Policy
Enable the IPS profile configured on the Intrusion Profile
Screenshot of applying the profile on the policy
In V5.6 & V6.0 firmware versions on CLI:To configure Botnet C&C IP blocking:
# config system interface
# edit port1
# set scan-botnet-connections <disable | block | monitor>
# next
# end
In V6.2 firmware version on CLI:
To configure Botnet C&C IP blocking:
config ips sensor now has a new scan-botnet-connections option.
# config ips sensor
# edit "Demo"
# set scan-botnet-connections <disable | block | monitor>
# next
# endNote:
The scan-botnet-connections command is no longer available in the following CLI commands:
# config firewall policy
# config firewall interface-policy
# config firewall proxy-policy
# config firewall sniffer
Verification of Configuration and troubleshooting:
For example, visit a botnet IP and an IPS log is generated for this attack
