Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Created on ‎06-06-2022 04:50 AM Edited on ‎06-06-2022 04:50 AM

Blocking botnet servers

Hi,

all my internet facing ipv4 policies have IPS policy where is settings enabled "Scan Outgoing Connections to Botnet Sites" 

Tutek_0-1654515875727.png

so it is needed to have at the top of ipv4 policies that are responsible for internet traffic policy with action DENY to block all Malicious and Botnet servers like: 

Tutek_1-1654516083255.png

I wonder if this isn't a redundant setting?

 

Labels:
876
0 Kudos
1 REPLY 1
bpozdena_FTNT
Staff
Staff

Created on ‎06-06-2022 05:29 AM

Hi Tutek,

 

it may and may not be a redundant setting. It really depends on the rest of your firewall configuration.

 

In general, both approaches will work, but if you block the connection by DENY firewall policy action, you will just see that the connection was denied.

 

If you enable C&C blocking in your IPS profile, you will have some additional details about the attack in the log. Just note that not all C&C servers user standard ports like 80 and 443 - the service in the firewall policy should therefore be set to ALL to make sure all connections are sent to IPS engine for inspection.  

 

It is also a good idea to enable C&C detection in your DNS profile, which helps prevent the clients from opening the connection in the first place. 

 

Both examples can be found in the admin guide

 

HTH,

Boris

HTH,
Boris
843
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.