Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Blocking botnet servers

Hi,

all my internet facing ipv4 policies have IPS policy where is settings enabled "Scan Outgoing Connections to Botnet Sites" 

Tutek_0-1654515875727.png

so it is needed to have at the top of ipv4 policies that are responsible for internet traffic policy with action DENY to block all Malicious and Botnet servers like: 

Tutek_1-1654516083255.png

I wonder if this isn't a redundant setting?

 

1 REPLY 1
bpozdena_FTNT

Hi Tutek,

 

it may and may not be a redundant setting. It really depends on the rest of your firewall configuration.

 

In general, both approaches will work, but if you block the connection by DENY firewall policy action, you will just see that the connection was denied.

 

If you enable C&C blocking in your IPS profile, you will have some additional details about the attack in the log. Just note that not all C&C servers user standard ports like 80 and 443 - the service in the firewall policy should therefore be set to ALL to make sure all connections are sent to IPS engine for inspection.  

 

It is also a good idea to enable C&C detection in your DNS profile, which helps prevent the clients from opening the connection in the first place. 

 

Both examples can be found in the admin guide

 

HTH,

Boris

HTH,
Boris
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors