Technical Tip: IP Definitions Database and internet service database are merged

Description

The IP Definitions Database (IPDB, previously known as the IRDB) is merged into the Internet Service Database (ISDB, also known as FFDB).
Botnet C&C IP blocking now uses the ISDB as a source.

Scope

FortiGate.

Solution

In the License Information table.
Go to System -> FortiGuard, 'Botnet IPs' and 'Internet Service Database Definitions' have the same database version.

 

To see the current botnet hits in the firewall:

 

oxygen-kvm17 # diagnose sys botnet-ip hit

The number of hit entries: 0

 

To see the whole list of botnet IP entries:

 

oxygen-kvm17 # diagnose sys botnet-ip list

0. proto=TCP, ip=1.0.133.100-1.0.133.100, port=51327-51327, botnet=7630624, hit_count=0

.

.

.

3705. proto=TCP, ip=223.165.243.209-223.165.243.209, port=47205-47205, botnet=7630624, hit_count=0

 

To see and find an IP entry from the list, follow the syntax below:

 

diagnose sys botnet-ip find <IP> <Port> <Protocol>

 

oxygen-kvm17 # diagnose sys botnet-ip find 223.165.243.209 47205 6
proto=TCP, ip=223.165.243.209, port=47205, botnet=7630624 is listed in the botnet database.

 

To flush the botnet IP entry hit count data:

 

diagnose sys botnet-ip flush

 

When updating object versions from the CLI, Botnet IPs are not listed.

Internet-service Database Apps and Internet-service Database Maps are listed, and show the version for Botnet IPs and Internet Service Database Definitions.

 

diagnose autoupdate version
......
Internet-service Database Apps
---------
Version: 7.00528
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Mar 13 12:48:18 2020
Last Update Attempt: Fri Mar 13 16:48:10 2020
Result: No Updates

Internet-service Database Maps
---------
Version: 7.00528
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Mar 13 12:48:18 2020
Last Update Attempt: Fri Mar 13 16:48:10 2020
Result: No Updates
......