Skip to main content
Rajesh0032
Rajesh0032
New Member
August 20, 2016
Question

Dnscat2 not getting blocked by Firewall (Detected as Proxy Application )

  • August 20, 2016
  • 1 reply
  • 8088 views

Device Version: FortiGate-1500D v5.2.0,

FortiAnalyzer v5.2.2

Application control : Default policy Block Proxy

 Our firewall is blocking all Proxy applications based on the policy but lately we are seeing application called Dnscat2 on FOrtianalyzer Proxy application report (SS attached)  . Unlike other proxy application's which are getting blocked by firewall , this particular application is not getting blocked even though its getting identified by firewall as Dnscat2:Proxy application (Tunnels data through port 53

 

http://fortiguard.com/appcontrol/app-41612

 

 

    1 reply

    jintrah_FTNT
    Staff
    jintrah_FTNT
    Staff
    August 21, 2016

    Hi Rajesh,

     

    If required, the Dnscat2 signature can be set to "Block" to block this application using app control.

     

    Rajesh0032
    Rajesh0032Author
    New Member
    August 21, 2016

    jintrah wrote:

    Hi Rajesh,

     

    If required, the Dnscat2 signature can be set to "Block" to block this application using app control.

     

    thanks for reply but i alrdy checked that , Dnscat2 is coming under category Proxy and its blocked in my policies .still Dnscat2 is not getting blocked

     

    yamidt_FTNT
    Staff
    yamidt_FTNT
    Staff
    August 22, 2016

    Hi Rajesh, it is a good idea You attach the Fg config file. What is the src IP are you testing? What is the Policy Id that Gf is applying? Please capture on two CLI sessions: 1. Debug flow for that src. 2. Capture proxy detection at the same time: please use: dia ips share clear bt // to clear bt expect table dia ips de en proxy dia ips de en detect dia de en

     

    Yamidt

    Terms & ConditionsAccessibility statement