Testing Fortigate Botnet Prevention

XavierMP · ‎07-15-2015

Hello. I have IPS and Application Control enabled on Fortigate

I'm trying to test Botnet blocking and the IP reputation Service, so I have an Application Sensor configured to block Botnet

I've tried to access the IP address I found in this Fortinet link http://kb.fortinet.com/kb/documentLink.do?externalID=FD35036

and the fortigate doesn't blocks none of them.

These address are in the Fortiguar IP Blacklist http://www.fortiguard.com/static/ip_lookup.html but the fortigate AC nor IPS block them.

I would like to know if this is normal behaviour or if I have to do some more configuration to block these IP's or test botnet blocking

Thanks

ede_pfau · ‎07-15-2015

Hi,

a blacklist of IP addresses is distributed and processed by the AV engine. In Security Profiles > Antivirus, select an active AV profile and check "Detect Connections to Botnet C&C Servers", check "Block" and check which protocols you would like to have scanned.

Ede Kernel panic: Aiee, killing interrupt handler!

XavierMP · ‎07-15-2015

I don't have AV license. I only have AC and IPS license

But I tought I could block Botnets with Application Control

Thanks

gschmitt · ‎07-15-2015

XavierMP wrote:
I don't have AV license. I only have AC and IPS license
But I tought I could block Botnets with Application Control

It should identify Botnet based traffic (blocking the botnet client traffic to the C&C server) but not "normal" traffic to botnet domains/IPs

XavierMP · ‎07-15-2015

Thanks

So AC and IPS doesn't use Fortiguard IP Reputation Service?

FatalHalt · ‎07-15-2015

XavierMP wrote:
I don't have AV license. I only have AC and IPS license
But I tought I could block Botnets with Application Control
Thanks

Xavier,

Features on the Fortigate are not individually licensed. If you have a Fortiguard license, you have access to all of the UTM features that your device supports - Web Filtering, AV, IPS, App Control, etc.

That being said, the IP reputation in 5.0 is pretty weak. I've heard it's better in 5.2 but haven't been able to personally verify.

ede_pfau · ‎07-15-2015

[ul]

Well, depending on the model you can license single services or only get the whole package. Small models only come with bundles.[/ul]

Ede Kernel panic: Aiee, killing interrupt handler!

FatalHalt · ‎07-15-2015

ede_pfau wrote:
[ul]
Well, depending on the model you can license single services or only get the whole package. Small models only come with bundles.

[/ul]

Really? I had no idea... I guess I really only work on 1000 series and below.

At what level do they start breaking services up?

neonbit · ‎07-15-2015

You can get individual FortiGuard licenses on the FG100Ds and higher models (NGFW, AV & WF) or the UTM bundle.

For all models smaller than 100D (90D and lower) then you can only get the UTM bundle (NGFW, AV, WF and AS).

Testing Fortigate Botnet Prevention

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website