Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Application-Control VS AntiVirus
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Application-Control VS AntiVirus
Hi,
I trying to setup a ACL to prevent the connection to the Botnet Servers. I found there is a option "block connections to Botnet Servers" in the AntiVirus Profile.
As both Antivirus and Application control can block connection to the Botnet server , could you tell me what is the difference between Antivirus and Application Control ? Which one is better ?
Regards,
Jacky
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
sorry but Application Control and Antivirus are two completly different features:
- Antivirus is testing files like zip, gzip, word documents based on antivirus signature to find out virus's etc.
- Application control is looking to the application header within flow and blocks, monitores etc. stuff based on this application header. Behind application control there is also something like a signature database but only to identify certain application or functions etc. This database is also used/coming by/from IPS or visaverse.
From this point of view each antivirus has nothing to do with application control and visaverse. The block botnet function looks if a certain request is going out from internal to known botnet servers and if yes and so configured it will be blocked. This does not solve the internal problem that the client is infected to malicious whatever but it blocks comunication to botnet servers. To confiure botnet server block etc. within a certina antivirus profile you have to configure following:
# config antivirus profile # edit [Name of the profile] # set block-botnet-connections [enable | disable] For FortiOS 5.2 this command does not exist anymore "block-botnet-connections" and was replaced with: # set scan-botnet-connections [monitor | block | disable]
This list used you can see at following link:
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
If you activate the function and you would like to test you have to request from internal a IP listed in the above link. If all is correct configured the request will be blockt on the FGT and you will see it in the logs.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AndreaSoliva wrote:This list used you can see at following link: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Are you saying that list is the ONLY list the FortiGate uses to block botnet connections or is that just an example of some IPs that might get blocked? I'm referring to the "block-botnet-connections" feature of the AntiVirus UTM profile.
Has anyone ever seen an AV log showing where a botnet connection was blocked due to this feature? I haven't but I look forward to testing it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On Monday I did a lot of testing of the block-botnet connections AV option using that same Zeus tracker IP list.
My goals were to, 1. confirm it works and 2. confirm it logs an event stating the connection was blocked.
Unfortunately I was able to connect to every IP when using a policy with the AV profile applied with Block Botnet Connections enabled.I have a ticket opened currently and waiting for the engineer to call me back.
Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is an IP Reputation log message from 5.2.
date=2015-03-20 time=10:04:38 logid=0202009248 type=utm subtype=virus eventtype=botnet level=warning vd="root" msg="Botnet C&C Communication." action=blocked sessionid=35841 srcip=10.10.220.6 dstip=103.230.84.239 srcport=28765 dstport=80 srcintf="internal" dstintf="wan1" proto=6 direction=outgoing quarskip=No-skip virus="Zeus" dtype="ip-reputation" ref="http://www.fortinet.com/be?bid=64" virusid=64 profile="block-botnet" user="PAUL" analyticssubmit=false crscore=50 crlevel=critical
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain how you were able to produce that log entry?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My testing methodology: FortiGate: One policy that includes AV profile with "block botnet connections" enabled Windows: Open Firefox and attempted to access an IP in the browser from the Zeus Tracker bad IP list (e.g. 103.230.84.239.)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Paul I was able to reproduce the same results in 5.0.9. Below is how my log looked:
date=2015-03-23 time=15:50:32 logid=0211008192 type=utm subtype=virus eventtype=infected level=warning vd="root" msg="File is infected." status="blocked" service=UNKNOWN(255) srcip=10.250.31.44 dstip=103.230.84.239 srcport=65036 dstport=80 srcintf="vlan 31" dstintf="VLAN 695" policyid=14 identidx=0 sessionid=6810689 direction=N/A quarskip="No skip" virus="Zeus" ref="http://www.fortinet.com/ve?vid=0" profile="default" analyticssubmit="false"
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Does the Fortigate have an antivirus... 132 Views
- Are licenses required to use features... 164 Views
- Fortigate upgrade 7.4.4 bug 170 Views
- Microsoft 365 Exchange Online traffic inspection... 255 Views
- Port release access fortinet Singn On... 177 Views
Labels
-
Fortigate
7,446 -
FortiClient
1,469 -
5.2
801 -
5.4
639 -
FortiManager
637 -
FortiAnalyzer
484 -
6.0
416 -
FortiSwitch
387 -
FortiAP
386 -
5.6
362 -
FortiClient EMS
312 -
FortiMail
287 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
181 -
FortiNAC
134 -
SSL-VPN
129 -
6.4
128 -
IPsec
124 -
FortiGuard
121 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
92 -
FortiToken
80 -
Customer Service
72 -
Wireless Controller
68 -
SD-WAN
65 -
4.0MR3
64 -
FortiProxy
52 -
FortiEDR
47 -
Fortivoice
46 -
FortiADC
46 -
FortiDNS
43 -
FortiAuthenticator
43 -
Firewall policy
40 -
FortiSandbox
38 -
VLAN
38 -
FortiExtender
37 -
FortiGate v5.4
36 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
FortiConverter
23 -
SAML
22 -
Interface
22 -
Authentication
21 -
Routing
21 -
Certificate
21 -
FortiSwitch v6.2
20 -
FortiLink
19 -
NAT
19 -
FortiPortal
18 -
VDOM
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Application control
14 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
SSO
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
WAN optimization
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
Packet capture
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiPAM
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiToken Cloud
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet Service Database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1238 | |
| 932 | |
| 674 | |
| 441 | |
| 176 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.