FortiGate – Enable IPS C&C Blocking

  1. Home
  2. Knowledge Base
  3. Fortinet
  4. FortiGate – Enable IPS C&C Blocking

With the FortiOS intrusion prevention system (IPS), you can detect and block network-based attacks. You can configure IPS sensors based on IPS signatures, IPS filters, outgoing connections to botnet sites, and rate-based signatures. FortiOS includes eight preloaded IPS sensors:

  • all_default
  • all_default_pass
  • default
  • high_security
  • protect_client
  • protect_email_server
  • protect_http_server
  • wifi-default

You can customize these sensors, or you can create your own and apply it to a firewall policy. The Botnet C&C section consolidates multiple botnet options in the IPS profile. This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI.

Go to Security Profiles > Intrusion Prevention, Edit an existing sensor, or create a new one, and set Scan Outgoing Connections to Botnet Sites to Block or Monitor.

New IPS Sensor

Click Apply. Botnet C&C is now enabled for the sensor. Add this sensor to the firewall policy. The IPS engine will scan outgoing connections to botnet sites. If you access a botnet IP, an IPS log is generated for this attack. Go to Log & Report > Intrusion Prevention to view the log.

Botnet C&C domain blocking

Go to Security Profiles > DNS Filter. Edit an existing filter, or create a new one. Enable Redirect botnet C&C requests to Block Portal. Then add this filter profile to a firewall policy.

Botnet C&C URL blocking

Go to Security Profiles > Intrusion Prevention. Edit an existing sensor, or create a new one. Enable Block malicious URLs. Then add this sensor to a firewall policy.

URL Blocking

Botnet C&C signature blocking

Go to Security Profiles > Intrusion Prevention. Edit an existing sensor, or create a new one. In the IPS Signatures section, click Create New. Set Type to Signature and select the signatures you want to include from the list. Add this sensor to a firewall policy to detect or block attacks that match the IPS signatures.

Was this article helpful?

Related Articles