Settings

The Botnet > Settings tab helps with the customization of the Botnet feature at an overall level. The Botnet Setttings tab allows you to block connections to or from Botnet command and control servers, and make custom Botnet lists. It also allows you to create a custom message to send when you block a web site, or to allow dynamic Botnet HTTP authentication. Many of the selections on this page have an Information icon that you can hover over for a screen tip.

Botnet Blocking is enabled in the Security Action Profile (SAP). After traffic matches a policy, the corresponding SAP associated with that policy is retrieved and the botnet setting from that is used for botnet blocking.

Policy Based Settings

To configure Botnet Policy-based Settings

1. Navigate to POLICY | Rules and Policies > Settings > Botnet | Settings.
2. To block all servers that are designated as Botnet command and control servers, select Block connections when Botnet signatures are unavailable and rules need botnet control. When enabled, all connections are dropped when a Botnet map database has not been downloaded and the policy actions need to apply a Botnet filter profile.

Global Settings

1. To enable the Custom Botnet List, select Enable Custom Botnet List. This option is not selected by default.

   If Enable Custom Botnet List is not selected, then only the Botnet database that resides on the network security appliance is searched. Go to Step 2. Enabling a custom list by selecting Enable Custom Botnet List can affect botnet identification for an IP address:

   1. During Botnet identification, the custom Botnet list is searched first.
   2. If the IP address is not resolved, the firewall's Botnet database is searched.

   If an IP address is resolved from the custom Botnet list, it can be identified as either a Botnet IP address or a non-Botnet IP address, and action taken accordingly.

2. Click Enable Dynamic Botnet List to affect the botnet identification, for an IP address, in the following ways:

   • If "Enable Dynamic Botnet List" is enabled, the IP address is looked up against the dynamic botnet list. If not found, the default list from the backend database will be searched.
   • When "Enable Custom Botnet List" is enabled, the custom list will take precedence over the dynamic botnet list. So an IP in the dynamic botnet list will be allowed by the Firewall if it is marked as "not a botnet" in the custom list.

   Dynamic Botnet List File Format

   • The dynamic botnet file is a .txt file that lists all the IPs seperated by end-of-line character.

   • Comment lines should start with # symbol.

   • Blocking of only individual IP addresses are supported. If the file contains subnets, they will be ignored.

   • Blocking of only public IP addresses are supported. Private IP addresses in the list will be ignored.

   • Empty Lines are OK.

   • Max file size cannot exceed 32KB.

   • Max number of IPs cannot exceed 2000.

   • Example file

   #------------------------------------

   # Sample botnet file (botnet.txt).

   #------------------------------------

   # Botnet IPs List 1

   1.1.1.1

   2.2.2.2

   # Botnet IPs List 2

   1.1.210.16

   1.1.210.17

   #------------------------------------

   # End of Dynamic Botnet List File.

   #------------------------------------

3. Select Enable Logging to log Botnet Filter-related events.

System Management Traffic

To manage Traffic

1. Enable Botnet Blocking: Please enable/disable ability to block/allow management traffic for HTTPS/Ping/SNMP/SSH (configured per interface in Network > Interfaces page) if originated from botnet command and control classified IP addresses.

2. Click Accept.