SonicOS 7.1 Rules and Policies for Policy Mode

Settings > Botnet > Configuring Botnet Settings
Table of Contents

Configuring Botnet Settings

To configure Botnet Policy-based Settings

  1. Navigate to POLICY | Rules and Policies > Settings > Botnet | Settings.
  2. To block all servers that are designated as Botnet command and control servers, select Block connections when Botnet signatures are unavailable and rules need botnet control. When enabled, all connections are dropped when a Botnet map database has not been downloaded and the policy actions need to apply a Botnet filter profile.

Global Settings

  1. To enable the Custom Botnet List, select Enable Custom Botnet List. This option is not selected by default.

    If Enable Custom Botnet List is not selected, then only the Botnet database that resides on the network security appliance is searched. Go to Step 2. Enabling a custom list by selecting Enable Custom Botnet List can affect botnet identification for an IP address:

    1. During Botnet identification, the custom Botnet list is searched first.
    2. If the IP address is not resolved, the firewall's Botnet database is searched.

If an IP address is resolved from the custom Botnet list, it can be identified as either a Botnet IP address or a non-Botnet IP address, and action taken accordingly.

  1. Click Enable Dynamic Botnet List to affect the botnet identification, for an IP address, in the following ways:

    • If "Enable Dynamic Botnet List" is enabled, the IP address is looked up against the dynamic botnet list. If not found, the default list from the backend database will be searched.
    • When "Enable Custom Botnet List" is enabled, the custom list will take precedence over the dynamic botnet list. So an IP in the dynamic botnet list will be allowed by the Firewall if it is marked as "not a botnet" in the custom list.

    Dynamic Botnet List File Format

    • The dynamic botnet file is a .txt file that lists all the IPs seperated by end-of-line character.

    • Comment lines should start with # symbol.

    • Blocking of only individual IP addresses are supported. If the file contains subnets, they will be ignored.

    • Blocking of only public IP addresses are supported. Private IP addresses in the list will be ignored.

    • Empty Lines are OK.

    • Max file size cannot exceed 32KB.

    • Max number of IPs cannot exceed 2000.

    • Example file

    #------------------------------------

    # Sample botnet file (botnet.txt).

    #------------------------------------

    # Botnet IPs List 1

    1.1.1.1

    2.2.2.2

    # Botnet IPs List 2

    1.1.210.16

    1.1.210.17

    #------------------------------------

    # End of Dynamic Botnet List File.

    #------------------------------------

  2. Select Enable Logging to log Botnet Filter-related events.

  3. Click Accept.