Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cleuson
New Contributor

Host infected with botnet

Hi, we have a network with the 1500D fortigate on the edge. Inside we have several subnets. Behind one of the networks, we have a source botnet of ip x.x.x.x destined for an external network y.y.y.y How can I block conficker actions on the network?

 

Thank You.

3 REPLIES 3
emnoc
Esteemed Contributor III

You  should  have a endpoint  agent on the host imho. But if you wanted to block the hosts set a  rule for the src and dst & with a deny action.

 

Alternative you could  look a IPS signature and deploy that to catch others. Serious if your  having  infected host with conficker than you have out of date hosts and no or poorly maintained   local AV/Malware end-points.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kphed
New Contributor III

Configure an app sensor with the "Botnet" category set to block and either deploy it on an interface-policy for the local interface (to ensure all traffic sourcing from LAN is scanned) or deploy the app. sensor on which ever firewall policy allows the host outbound to the iNet.

emnoc
Esteemed Contributor III

I would  be  careful with that.  bot app controls blocks known  C&C and listed or Identified botnets. YMMV  in detection and prevention.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors