Skip to main content
sselvam
Staff
sselvam
Staff
September 9, 2019

Technical Tip: Configuring the firewall to block Botnet CC connections

  • September 9, 2019
  • 0 replies
  • 22649 views

Description


This article describes how to block Botnet C&C connections.

 

Scope

 

FortiGate.

Solution


In V5.6 and V6.0 firmware versions on GUI:

 

  1. Botnet C&C connections are blocked through the specific interfaces; it is possible to enable the Scan Outgoing Connections to Botnet Sites either Block or Monitor.
    Go to   Firewall -> Network -> Interfaces
    Edit the interface where it is require to enable (Mostly these connections will hit on the external interface so enable it on Internet-connected interface)
  2.  Screenshot of applying the Botnet C&C connections on WAN interface of the firewall (Click on botnet package and it is possible to see the list of IP details)

 
In the V6.2 on GUI:
 
  1. C&C settings has been changed from Interface to Intrusion Prevention profile. Go to Security Profiles -> Intrusion Prevention Enable Botnet C&C by setting Scan Outgoing Connections to Botnet Sites to Block or Monitor.

Screenshot of the IPS profile configuration:

 

 

  1. To apply the profile in the policy go to Policy&Objects -> IPv4 Policy  Enable the IPS profile configured on the Intrusion Profile

Screenshot of applying the profile on the policy:

 

 
 
 
In V5.6 and V6.0  on CLI:
 
To configure Botnet C&C IP blocking:
 
config system interface
    edit port1
        set scan-botnet-connections <disable | block | monitor>
    next
end


In V6.2 on CLI:

To configure Botnet C&C IP blocking: config ips sensor now has a new scan-botnet-connections option:

 

config ips sensor
    edit "Demo"
        set scan-botnet-connections <disable | block | monitor>
    next
end


The scan-botnet-connections command is no longer available in the following CLI commands:

config firewall policy
config firewall interface-policy
config firewall proxy-policy
config firewall sniffer


Verification of Configuration and Troubleshooting:

For example, visit a botnet IP and an IPS log is generated for this attack:


 

Note:

Starting from v7.4, 'set scan-botnet-connections' IPS profiles will not work when using a proxy-based inspection policy with certificate inspection.

The issue has been resolved in v7.6.1 known as issue ID 1060812  and the workaround is proxy-inline-ips disable in IPS setting.

 

config ips settings

    Description: Configure IPS VDOM parameter.

    set ha-session-pickup [connectivity|security]

    set ips-packet-quota {integer}

    set packet-log-history {integer}

    set packet-log-memory {integer}

    set packet-log-post-attack {integer}

    set proxy-inline-ips disable

    end

 

After disabling `proxy-inline-ips` in the IPS sensor 'set scan-botnet-connections block' seems to be working properly with other UTM features(e.g. App Ctrl, AV).

 

The output of the logs for example botnet address destination 2.56.59.42 while it is not detected and block:

 

Traffic log:

 

date=20xx-xx-xx ,time=14:07:56 eventtime=1722316075309881173 tz="+xxxx" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.120 srcport=57570 srcintf="port1" srcintfrole="undefined" dstip=2.56.59.42 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Singapore" sessionid=3184 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="9e08805c-4e2e-51ef-08c1-c0ae8cb2f8dc" policyname="000-test" service="HTTP" trandisp="snat" transip=192.168.0.130 transport=57570 duration=10 sentbyte=60 rcvdbyte=132 sentpkt=1 rcvdpkt=3 appcat="unscanned" wanin=0 wanout=0 lanin=0 lanout=0 crscore=5 craction=262144 crlevel="low" msg="Connection Failed"

 

IPS log:

 

There is no output in IPS logs.

 

IPS debug:

 

There is no output in the IPS debug log.

 

If only the IPS feature is enabled in policy, or if proxy-inline-ips disable in the IPS setting the traffic had been blocked properly.

 

An example of a working log for scan botnet blocking in IPS

 

Traffic log:

 

date=20xx-xx-xx, time=14:00:58 eventtime=1722315658039852550 tz="+xxxx" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.120 srcport=57476 srcintf="port1" srcintfrole="undefined" dstip=2.56.59.42 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Singapore" sessionid=2531 proto=6 action="timeout" policyid=1 policytype="policy" poluuid="9e08805c-4e2e-51ef-08c1-c0ae8cb2f8dc" policyname="000-test" service="HTTP" trandisp="snat" transip=192.168.0.130 transport=57476 duration=45 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countips=1 crscore=50 craction=4 utmref=0-4134

 

IPS log:

 

date=20xx-xx-xx,time=14:00:13 eventtime=1722315612590687565 tz="-xxxx" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="root" msg="Botnet C&C Communication." severity="critical" srcip=192.168.1.120 srccountry="Reserved" dstip=2.56.59.42 dstcountry="Singapore" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" sessionid=2531 action="dropped" srcport=57476 dstport=80 proto=6 service="HTTP" policyid=1 poluuid="9e08805c-4e2e-51ef-08c1-c0ae8cb2f8dc" policytype="policy" profile="protect_client" direction="outgoing" attack="Malware" attackid=7630020 ref="http://www.fortinet.com" crscore=50 craction=4 crlevel="critical"

 

IPS debug:


ips_run_session_verdict_check: can't find session
ips_bot_detect: BOTNET detected. id: 7630020
ips_bot_alert: botnet_id=7630020, action=1
ips_set_pkt_verdict: action=DROP
ips_set_pkt_verdict: turn tcp drop to DROP_SESSION
ips_handle_pkt_verdict: drop a session, size=52
ips_eng_send_packet: send packet len=40 flags=2

 

Related document:

config ips settings

Terms & ConditionsAccessibility statement