AppFlow Botnet Report displaying the firewall’s WAN Interface IP and other internal IP addresses

It has been observed that AppFlow botnet reports are displaying the firewall’s WAN interface IP and other IP addresses within the list of identified botnet-related IP addresses.

The Botnet Filter feature in SonicOS is designed to log both the initiator and responder IP addresses involved in a connection, regardless of which IP matches a Botnet Command-and-Control (BCC) server. This approach ensures that internal IP addresses are reported when applicable, enabling the customer to identify potentially infected devices within the local network. Bots may reside on machines behind the firewall and attempt to initiate connections with external control servers. It is important to note that SonicOS does not perform botnet filtering on traffic generated by the firewall itself.

The AppFlow Botnet Report includes both the initiating and responding IP addresses when a known botnet IP is involved in a connection. As a result, the firewall’s WAN interface IP address or internal LAN IP addresses may appear in the report. Specifically, the WAN IP address may be listed when incoming connections from known botnet CC servers are detected and blocked by the firewall.

Similarly, when an internal device attempts to establish a connection with a known botnet server, the report will include both the internal IP address of the user’s machine and the public IP address of the botnet server.

If the AppFlow report lists only the WAN interface IP address and a known botnet IP, it indicates that an incoming connection attempt from a known botnet server to the firewall was successfully blocked.