Hi, we have a network with the 1500D fortigate on the edge. Inside we have several subnets. Behind one of the networks, we have a source botnet of ip x.x.x.x destined for an external network y.y.y.y How can I block conficker actions on the network?
Thank You.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You should have a endpoint agent on the host imho. But if you wanted to block the hosts set a rule for the src and dst & with a deny action.
Alternative you could look a IPS signature and deploy that to catch others. Serious if your having infected host with conficker than you have out of date hosts and no or poorly maintained local AV/Malware end-points.
PCNSE
NSE
StrongSwan
Configure an app sensor with the "Botnet" category set to block and either deploy it on an interface-policy for the local interface (to ensure all traffic sourcing from LAN is scanned) or deploy the app. sensor on which ever firewall policy allows the host outbound to the iNet.
I would be careful with that. bot app controls blocks known C&C and listed or Identified botnets. YMMV in detection and prevention.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1734 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.