Skip to main content
XavierMP
XavierMP
New Member
July 15, 2015
Question

Testing Fortigate Botnet Prevention

  • July 15, 2015
  • 3 replies
  • 19627 views

Hello. I have IPS and Application Control enabled on Fortigate

I'm trying to test Botnet blocking and the IP reputation Service, so I have an Application Sensor configured to block Botnet

I've tried to access the IP address I found in this Fortinet link http://kb.fortinet.com/kb/documentLink.do?externalID=FD35036

and the fortigate doesn't blocks none of them.

These address are in the Fortiguar IP Blacklist http://www.fortiguard.com/static/ip_lookup.html but the fortigate AC nor IPS block them. 

I would like to know if this is normal behaviour or if I have to do some more configuration to block these IP's or test botnet blocking

Thanks 

    3 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 15, 2015

    Hi,

     

    a blacklist of IP addresses is distributed and processed by the AV engine. In Security Profiles > Antivirus, select an active AV profile and check "Detect Connections to Botnet C&C Servers", check "Block" and check which protocols you would like to have scanned.

    XavierMP
    XavierMPAuthor
    New Member
    July 15, 2015

    I don't have AV license. I only have AC and IPS license

    But I tought I could block Botnets with Application Control

    Thanks

    gschmitt
    gschmitt
    New Member
    July 15, 2015

    XavierMP wrote:

    I don't have AV license. I only have AC and IPS license

    But I tought I could block Botnets with Application Control

     

    It should identify Botnet based traffic (blocking the botnet client traffic to the C&C server) but not "normal" traffic to botnet domains/IPs

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 15, 2015
    [ul]
  • Well, depending on the model you can license single services or only get the whole package. Small models only come with bundles.[/ul]
    • FatalHalt
    FatalHalt
    New Member
    July 15, 2015

    ede_pfau wrote:

    [ul]
  • Well, depending on the model you can license single services or only get the whole package. Small models only come with bundles.
    • [/ul]

    Really? I had no idea... I guess I really only work on 1000 series and below. 

     

    At what level do they start breaking services up?

    neonbit
    neonbit
    New Member
    July 15, 2015

    You can get individual FortiGuard licenses on the FG100Ds and higher models (NGFW, AV & WF) or the UTM bundle.

     

    For all models smaller than 100D (90D and lower) then you can only get the UTM bundle (NGFW, AV, WF and AS).

    Terms & ConditionsAccessibility statement