SonicOS 7.0 Security Services Administration Guide
- SonicOS 7.0
- Summary
- Managing the SonicWall Gateway Anti-Virus Service
- SonicWall GAV Multi-Layered Approach
- SonicWall GAV Architecture
- Activating the Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention License
- Setting Up SonicWall Gateway Anti-Virus Protection
- Viewing SonicWall Gateway Anti-Virus Signatures
- Anti-Spyware Service
- Intrusion Prevention Service
- Configuring Geo-IP Filters
- Configuring Botnet Filters
- Configuring App Control
- About App Control Policy Creation
- Viewing App Control Status
- Configuring App Control Global Settings
- Configuring App Control Signatures
- Configuring App Control Signatures by Category
- Configuring App Control Signatures by Application
- Configuring App Control Advanced by Signature
- Viewing Signatures
- Viewing by All Categories and All Applications by Applications
- Viewing by All Categories and All Applications by Signatures
- Viewing by All Categories and All Applications by Category
- Viewing Just One Category
- Viewing Just One Application
- Displaying Details of Signature Applications
- Displaying Details of Application Signatures
- Configuring Content Filter
- SonicWall Support
Configuring Botnet Filtering
To configure Botnet filtering
- Navigate to POLICY | Security Services > Botnet Filter.
- Click Settings.
-
To block all servers that are designated as Botnet command and control servers, select the Block connections to/from Botnet Command and Control Servers option.
All connection attempts to/from Botnet command and control servers will be blocked. This option is not selected by default.
If this option is selected, the radio buttons and the Block all connections to public IPs if BOTNET DB is not downloaded option become available.
To exclude selected IPs from this blocking behavior, use exclusion lists as described in the following steps and/or create a custom Botnet list as described in Creating Custom Botnet Lists.
- If Block connections to/from Botnet Command and Control Servers is selected, these options become available:
- Select one of the following two modes for Botnet Filtering:
- All Connections: All connections to and from the firewall are filtered. This is the default Botnet block mode.
- Firewall Rule-Based Connections: Only connections that match an access rule configured on the firewall are filtered.
- If you want to block all connections to public IPs when the Botnet database is not downloaded, select the Block all connections to public IPs if BOTNET DB is not downloaded. This option is not selected by default.
- Select one of the following two modes for Botnet Filtering:
-
To enable the Custom Botnet List, select Enable Custom Botnet List. This option is not selected by default.
If Enable Custom Botnet List is not selected, then only the Botnet database that resides on the network security appliance is searched. Go to Step 6.
Enabling a custom list by selecting Enable Custom Botnet List can affect country identification for an IP address:
- During Botnet identification, the custom Botnet list is searched first.
- If the IP address is not resolved, the firewall’s Botnet database is searched.
If an IP address is resolved from the custom Botnet list, it can be identified as either a Botnet IP address or a non-Botnet IP address, and action taken accordingly.
-
To enable the dynamic botnet list, select Enable Dynamic Botnet List. The IP address is looked up against the dynamic botnet list. If not found, the default list from the backend database will be searched.
- Select Enable logging to log Botnet Filter-related events.
-
Optionally, you can configure an exclusion list of all IPs belonging to the configured address object/address group. All IPs belonging to the list are excluded from being blocked. To enable an exclusion list, select an address object or address group from the Botnet Exclusion Object list.
The default exclusion object is Default Geo-IP and Botnet Exclusion Group. You can create your own address object or address group object.
- Click Accept.
Was This Article Helpful?
Help us to improve our support portal