Monitor Botnet Detection Activity
To identify clients on your network that are infected with botnet malware and that try to communicate with a botnet command and control server, you can monitor your network for Botnet Detection activity.
Botnet Detection Statistics
From Fireware Web UI, you can see Botnet Detection statistics, which include the total number of source and destination IP addresses that were scanned, and the addresses that were blocked. You can also see the version information of your Botnet Detection sites list.
Select Dashboard > Subscription Services.
Select the Subscription Services tab.
Botnet Detection Log Messages
You can configure your Firebox to generate a log message if your Firebox detects infected clients on your network that are in communication with a botnet command and control server. Botnet Detection log messages show the source and destination IP address of the traffic. For example:
Jan 1 10:25:40 2016 WatchGuard-Firebox local0.warn firewall: msg_id="3000-0148" Deny 4-Optional-3 0-External 84 icmp 20 63 10.0.5.97 184.108.40.206 8 0 id=4124 seq=3 botnet="destination" msg="blocked sites" (Internal Policy)
Jan 1 10:31:45 2016 WatchGuard-Firebox local0.warn firewall: msg_id="3000-0148" Deny 4-Optional-3 0-External 28 icmp 20 63 220.127.116.11 18.104.22.168 8 0 id=14608 seq=512 botnet="source" msg="blocked sites " (Internal Policy)
Botnet Detection Notifications
The Botnet Detection subscription service uses a list of known botnet site IP addresses from Reputation Enabled Defense (RED) and adds the addresses to the Blocked Sites List on the Firebox. To see the Botnet Detection activity on your network, you can configure the logging settings for the Blocked Sites List.
From Policy Manager, you can configure your Firebox to generate a log message or send a notification message if a computer tries to use a blocked site.
From the Blocked Sites Configuration dialog box:
- Click Logging.
The Logging and Notification dialog box appears.
- Configure the notification settings as described in Set Logging and Notification Preferences.
Botnet Detection in Dimension
If you have configure your Firebox to generate log messages for Botnet Detection activity, and have configured your Firebox to send log messages to Dimension, you can see the Botnet Detection activity on your Firebox in these Dimension tools and reports:
- Tools > Dashboards > Security Dashboard
- Top Blocked Botnet Sites
- Top Blocked Clients
- Tools > Dashboards > Threat Map — Blocked Botnet Sites
- Reports > Services > Botnet Detection — Botnet Detection activity trends
- Reports > Detail — Botnet Detection