Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Fortianalyzer DNS connections to C&C hosts

Hi,

I have in fortianalyzer multiple critical events with event status "Unhandled" these are mainly connections to C&C hosts most of them are ending with com.tr.

So I have created DNS security profile, with option enabled "Redirect botnet C&C requests to Block Portal" and here I have information that database include 80000 domains in botnet package. More over I have created here DNS static filters to block *.com.tr and other like: 

I have applied this dns security profile from lan computers to my active directory server (DNS), and then from active directory server to outside DNS forwarder (DNS google).

So my question is why these connections are not blocked "Mitigated" in Fortianalyzer?

 

 

 

1 REPLY 1
kgeorge
Staff
Staff

Hello @Tutek,

 

Botnet and IoC events are generally considered as Unhandled in the Event Logs. Please refer the documentation below to understand the event statuses,

 

https://docs.fortinet.com/document/fortianalyzer/7.4.0/administration-guide/337904/understanding-eve...

 

For any further clarifications on this and traffic handled  by FortiAnalyzer, you may open a support ticket with our FAZ Team and they will be glad to address them accordingly to you.

Regards,
Klint George