• SonicOS 7.1 Rules and Policies
• Overview
  • About SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• Settings
  • Configuring App/Match/Malware
  • Configuring Content Filtering Service (CFS)
    • SonicWall CFS
    • CFS Custom Category
  • Geo-IP
    • Custom List
      • Editing a Custom List Entry
      • Deleting Custom List Entries
    • Using Geo-IP Diagnostics
  • Botnet
    • Configuring Botnet Settings
    • Creating Custom Botnet Lists
    • Viewing Dynamic Botnets Lists
    • Configuring a Dynamic Botnet List Server
    • Using Botnet Diagnostics
  • Decryption (DPI-SSL)
    • Certificate
    • Common Name
    • SSL Servers
  • Decryption (DPI-SSH)
  • Signature Update
• Security Policy
  • User & Country
  • App/URL/Custom Match
• NAT Policy
  • About NAT in SonicOS
  • About NAT Load Balancing
    • Determining the NAT LB Method to Use
    • Caveats
    • How Load Balancing Algorithms are Applied
    • Sticky IP Algorithm Examples
      • Example One - Mapping to a Network
      • Example Two - Mapping to an IP Address Range
  • About NAT64
    • Use of Pref64::/n
  • About FQDN-based NAT
  • About Source MAC Address Override
  • Viewing NAT Policy Entries
    • Changing the Display
    • Filtering the Display
  • Adding or Editing NAT or NAT64 Rule Policies
  • Deleting NAT Policies
  • Creating NAT Rule Policies: Examples
    • Creating a One-to-One NAT Policy for Inbound Traffic
    • Creating a One-to-One NAT Policy for Outbound Traffic
    • Inbound Port Address Translation via One-to-One NAT Policy
    • Inbound Port Address Translation via WAN IP Address
    • Creating a Many-to-One NAT Policy
    • Creating a Many-to-Many NAT Policy
    • Creating a NAT Load Balancing Policy for Two Web Servers
• Routing
  • About Routing
    • About Metrics and Administrative Distance
      • About Metrics
      • About Administrative Distance
    • Route Advertisement
    • ECMP Routing
    • Policy-based Routing
    • Policy-based TOS Routing
    • PBR Metric-based Priority
    • Policy-based Routing and IPv6
    • OSPF and RIP Advanced Routing Services
      • About Routing Services
        • Protocol Type
        • Maximum Hops
        • Split-Horizon
        • Poison Reverse
        • Routing Table Updates
        • Subnet Sizes Supported
        • Autonomous System Topologies
      • OSPF Terms
    • Drop Tunnel Interface
    • App-based Routing
  • Rules and Policies >
    • Configuring
      • Adding Static Routes
      • Probe-Enabled Policy-based Routing Configuration
• Decryption Policy
  • Client-side SSL Rules
  • Server-side SSL Rules
  • SSH Rules
  • Setting up the Decryption Policy Table
    • Managing the Decryption Policy Toolbars
    • Changing the Policy Priority
    • Creating Decryption Policies
      • Adding Decryption Policies
      • Editing Decryption Policies
      • Deleting Decryption Policies
• DoS Policy
  • Setting up the DoS Policy Table
    • Managing the DoS Policy Toolbars
    • Changing the DoS Policy Priority
    • Creating DoS Policies
      • Adding DoS Policies
      • Editing DoS Policies
      • Deleting DoS Policies
• DNS Policy
  • Creating DNS Policies
    • Adding DNS Policies
    • Editing DNS Policies
    • Deleting DNS Policies
  • DNS Doctoring
• Endpoint Policy
• Shadow
• SonicWall Support
  • About This Document

Configuring Botnet Settings

To configure Botnet Policy-based Settings

1. Navigate to POLICY | Rules and Policies > Settings > Botnet | Settings.
2. To block all servers that are designated as Botnet command and control servers, select Block connections when Botnet signatures are unavailable and rules need botnet control. When enabled, all connections are dropped when a Botnet map database has not been downloaded and the policy actions need to apply a Botnet filter profile.

Global Settings

1. To enable the Custom Botnet List, select Enable Custom Botnet List. This option is not selected by default.

   If Enable Custom Botnet List is not selected, then only the Botnet database that resides on the network security appliance is searched. Go to Step 2. Enabling a custom list by selecting Enable Custom Botnet List can affect botnet identification for an IP address:

   1. During Botnet identification, the custom Botnet list is searched first.
   2. If the IP address is not resolved, the firewall's Botnet database is searched.

If an IP address is resolved from the custom Botnet list, it can be identified as either a Botnet IP address or a non-Botnet IP address, and action taken accordingly.

2. Click Enable Dynamic Botnet List to affect the botnet identification, for an IP address, in the following ways:

   • If "Enable Dynamic Botnet List" is enabled, the IP address is looked up against the dynamic botnet list. If not found, the default list from the backend database will be searched.
   • When "Enable Custom Botnet List" is enabled, the custom list will take precedence over the dynamic botnet list. So an IP in the dynamic botnet list will be allowed by the Firewall if it is marked as "not a botnet" in the custom list.

   Dynamic Botnet List File Format

   • The dynamic botnet file is a .txt file that lists all the IPs seperated by end-of-line character.

   • Comment lines should start with # symbol.

   • Blocking of only individual IP addresses are supported. If the file contains subnets, they will be ignored.

   • Blocking of only public IP addresses are supported. Private IP addresses in the list will be ignored.

   • Empty Lines are OK.

   • Max file size cannot exceed 32KB.

   • Max number of IPs cannot exceed 2000.

   • Example file

   #------------------------------------

   # Sample botnet file (botnet.txt).

   #------------------------------------

   # Botnet IPs List 1

   1.1.1.1

   2.2.2.2

   # Botnet IPs List 2

   1.1.210.16

   1.1.210.17

   #------------------------------------

   # End of Dynamic Botnet List File.

   #------------------------------------

3. Select Enable Logging to log Botnet Filter-related events.

4. Click Accept.