Description

The IP Definitions Database (IPDB, previously known as the IRDB) is merged into the Internet Service Database (ISDB, also known as FFDB).
Botnet C&C IP blocking now uses the ISDB as a source.

Scope

FortiGate.

Solution

In the License Information table.
Go to System -> FortiGuard, 'Botnet IPs' and 'Internet Service Database Definitions' have the same database version.

 

To see the current botnet hits in the firewall:

 

oxygen-kvm17 # diagnose sys botnet-ip hit

The number of hit entries: 0

 

To see the whole list of botnet IP entries:

 

oxygen-kvm17 # diagnose sys botnet-ip list

0. proto=TCP, ip=1.0.133.100-1.0.133.100, port=51327-51327, botnet=7630624, hit_count=0

.

.

.

3705. proto=TCP, ip=223.165.243.209-223.165.243.209, port=47205-47205, botnet=7630624, hit_count=0

 

To see and find an IP entry from the list, follow the syntax below:

 

diagnose sys botnet-ip find <IP> <Port> <Protocol>

 

oxygen-kvm17 # diagnose sys botnet-ip find 223.165.243.209 47205 6
proto=TCP, ip=223.165.243.209, port=47205, botnet=7630624 is listed in the botnet database.

 

To flush the botnet IP entry hit count data:

 

diagnose sys botnet-ip flush

 

When updating object versions from the CLI, Botnet IPs are not listed.

Internet-service Database Apps and Internet-service Database Maps are listed, and show the version for Botnet IPs and Internet Service Database Definitions.

 

diagnose autoupdate version
......
Internet-service Database Apps
---------
Version: 7.00528
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Mar 13 12:48:18 2020
Last Update Attempt: Fri Mar 13 16:48:10 2020
Result: No Updates

Internet-service Database Maps
---------
Version: 7.00528
Contract Expiry Date: n/a
Last Updated using scheduled update on Fri Mar 13 12:48:18 2020
Last Update Attempt: Fri Mar 13 16:48:10 2020
Result: No Updates
......