Description
This article describes how to block Botnet C&C connections.
Scope
FortiGate.
Solution
In V5.6 and V6.0 firmware versions on GUI:
- Botnet C&C connections are blocked through the specific interfaces; it is possible to enable the Scan Outgoing Connections to Botnet Sites either Block or Monitor.
Go to Firewall -> Network -> Interfaces
Edit the interface where it is require to enable (Mostly these connections will hit on the external interface so enable it on Internet-connected interface) - Screenshot of applying the Botnet C&C connections on WAN interface of the firewall (Click on botnet package and it is possible to see the list of IP details)
In the V6.2 on GUI:
- C&C settings has been changed from Interface to Intrusion Prevention profile. Go to Security Profiles -> Intrusion Prevention Enable Botnet C&C by setting Scan Outgoing Connections to Botnet Sites to Block or Monitor.
Screenshot of the IPS profile configuration:
- To apply the profile in the policy go to Policy&Objects -> IPv4 Policy Enable the IPS profile configured on the Intrusion Profile
Screenshot of applying the profile on the policy:
In V5.6 and V6.0 on CLI:
To configure Botnet C&C IP blocking:
config system interface
edit port1
set scan-botnet-connections <disable | block | monitor>
next
end
edit port1
set scan-botnet-connections <disable | block | monitor>
next
end
In V6.2 on CLI:
To configure Botnet C&C IP blocking: config ips sensor now has a new scan-botnet-connections option:
config ips sensor
edit "Demo"
set scan-botnet-connections <disable | block | monitor>
next
end
The scan-botnet-connections command is no longer available in the following CLI commands:
config firewall policy
config firewall interface-policy
config firewall proxy-policy
config firewall sniffer
Verification of Configuration and Troubleshooting:
For example, visit a botnet IP and an IPS log is generated for this attack:
Note:
Starting from v7.4, 'set scan-botnet-connections' IPS profiles will not work when using a proxy-based inspection policy with certificate inspection.
The issue has been resolved in v7.6.1 known as issue ID 1060812 and the workaround is proxy-inline-ips disable in IPS setting.
config ips settings
Description: Configure IPS VDOM parameter.
set ha-session-pickup [connectivity|security]
set ips-packet-quota {integer}
set packet-log-history {integer}
set packet-log-memory {integer}
set packet-log-post-attack {integer}
set proxy-inline-ips disable
end
After disabling `proxy-inline-ips` in the IPS sensor 'set scan-botnet-connections block' seems to be working properly with other UTM features(e.g. App Ctrl, AV).
The output of the logs for example botnet address destination 2.56.59.42 while it is not detected and block:
Traffic log:
date=20xx-xx-xx ,time=14:07:56 eventtime=1722316075309881173 tz="+xxxx" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.120 srcport=57570 srcintf="port1" srcintfrole="undefined" dstip=2.56.59.42 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Singapore" sessionid=3184 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="9e08805c-4e2e-51ef-08c1-c0ae8cb2f8dc" policyname="000-test" service="HTTP" trandisp="snat" transip=192.168.0.130 transport=57570 duration=10 sentbyte=60 rcvdbyte=132 sentpkt=1 rcvdpkt=3 appcat="unscanned" wanin=0 wanout=0 lanin=0 lanout=0 crscore=5 craction=262144 crlevel="low" msg="Connection Failed"
IPS log:
There is no output in IPS logs.
IPS debug:
There is no output in the IPS debug log.
If only the IPS feature is enabled in policy, or if proxy-inline-ips disable in the IPS setting the traffic had been blocked properly.
An example of a working log for scan botnet blocking in IPS
Traffic log:
date=20xx-xx-xx, time=14:00:58 eventtime=1722315658039852550 tz="+xxxx" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.120 srcport=57476 srcintf="port1" srcintfrole="undefined" dstip=2.56.59.42 dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Singapore" sessionid=2531 proto=6 action="timeout" policyid=1 policytype="policy" poluuid="9e08805c-4e2e-51ef-08c1-c0ae8cb2f8dc" policyname="000-test" service="HTTP" trandisp="snat" transip=192.168.0.130 transport=57476 duration=45 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countips=1 crscore=50 craction=4 utmref=0-4134
IPS log:
date=20xx-xx-xx,time=14:00:13 eventtime=1722315612590687565 tz="-xxxx" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="root" msg="Botnet C&C Communication." severity="critical" srcip=192.168.1.120 srccountry="Reserved" dstip=2.56.59.42 dstcountry="Singapore" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" sessionid=2531 action="dropped" srcport=57476 dstport=80 proto=6 service="HTTP" policyid=1 poluuid="9e08805c-4e2e-51ef-08c1-c0ae8cb2f8dc" policytype="policy" profile="protect_client" direction="outgoing" attack="Malware" attackid=7630020 ref="http://www.fortinet.com" crscore=50 craction=4 crlevel="critical"
IPS debug:
ips_run_session_verdict_check: can't find session
ips_bot_detect: BOTNET detected. id: 7630020
ips_bot_alert: botnet_id=7630020, action=1
ips_set_pkt_verdict: action=DROP
ips_set_pkt_verdict: turn tcp drop to DROP_SESSION
ips_handle_pkt_verdict: drop a session, size=52
ips_eng_send_packet: send packet len=40 flags=2
Related document:
