Description
This article describes how to block C&C domain traffic.
Solution
FortiGuard service continually updates the Botnet C&C domain list (Domain DB).
The botnet C&C domain blocking feature can block the botnet web site access at the DNS name resolving stage.
This provides additional protection for thenetwork.
To configure botnet C&C domain blocking from the GUI:
Go to Security Profiles -> DNS Filter and edit or create a DNS Filter.
Enable 'Redirect botnet C&C requests to Block Portal'.
To check botnet activity:
Go to Dashboard- > Status and see the 'Botnet Activity' widget.
If the 'Botnet Activity' widget is not found, select the Settings button at the bottom right, select 'Add Widget' and add the 'Botnet Activity' widget.
This article describes how to block C&C domain traffic.
Solution
FortiGuard service continually updates the Botnet C&C domain list (Domain DB).
The botnet C&C domain blocking feature can block the botnet web site access at the DNS name resolving stage.
This provides additional protection for thenetwork.
To configure botnet C&C domain blocking from the GUI:
Go to Security Profiles -> DNS Filter and edit or create a DNS Filter.
Enable 'Redirect botnet C&C requests to Block Portal'.
Select the botnet package link to see the latest botnet C&C domain list.
To check the DNS Filter log from the GUI:
Go to Log & Report -> DNS Query to view the DNS query blocked as a botnet domain.
To check the DNS Filter log from the GUI:
Go to Log & Report -> DNS Query to view the DNS query blocked as a botnet domain.
To check the DNS Filter log fromthe CLI:
(vdom1) # execute log filter category utm-dns
(vdom1) # execute log display
2 logs found.
2 logs returned.
1: date=2019-04-04 time=16:43:59 logid="1501054601" type="utm" subtype="dns" event
type="dns-response" level="warning" vd="vdom1" eventtime=1554421439 policyid=1
sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="unde
fined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined"
proto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="
IN" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetdomain="can
ind.co"
2: date=2019-04-04 time=16:43:59 logid="1500054000" type="utm" subtype="dns" even
ttype="dns-query" level="information" vd="vdom1" eventtime=1554421439 policyid=1
sessionid=14135 srcip=10.1.100.18 srcport=57447 srcintf="port10" srcintfrole="un
defined" dstip=172.16.95.16 dstport=53 dstintf="port9" dstintfrole="undefined" pr
oto=17 profile="demo" xid=24339 qname="canind.co" qtype="A" qtypeval=1 qclass="IN"
To check botnet activity:
Go to Dashboard- > Status and see the 'Botnet Activity' widget.
If the 'Botnet Activity' widget is not found, select the Settings button at the bottom right, select 'Add Widget' and add the 'Botnet Activity' widget.
Related link.
