Skip to main content
Tutek
Tutek
New Member
June 6, 2022
Question

Blocking botnet servers

  • June 6, 2022
  • 1 reply
  • 1417 views

Hi,

all my internet facing ipv4 policies have IPS policy where is settings enabled "Scan Outgoing Connections to Botnet Sites" 

Tutek_0-1654515875727.png

so it is needed to have at the top of ipv4 policies that are responsible for internet traffic policy with action DENY to block all Malicious and Botnet servers like: 

Tutek_1-1654516083255.png

I wonder if this isn't a redundant setting?

 

1 reply

bpozdena_FTNT
Staff
bpozdena_FTNT
Staff
June 6, 2022

Hi Tutek,

 

it may and may not be a redundant setting. It really depends on the rest of your firewall configuration.

 

In general, both approaches will work, but if you block the connection by DENY firewall policy action, you will just see that the connection was denied.

 

If you enable C&C blocking in your IPS profile, you will have some additional details about the attack in the log. Just note that not all C&C servers user standard ports like 80 and 443 - the service in the firewall policy should therefore be set to ALL to make sure all connections are sent to IPS engine for inspection.  

 

It is also a good idea to enable C&C detection in your DNS profile, which helps prevent the clients from opening the connection in the first place. 

 

Both examples can be found in the admin guide

 

HTH,

Boris

Terms & ConditionsAccessibility statement