Botnet C&C protection added to interfaces (254959)

The function of Botnet and Command & Control traffic protection is not new but how it can be configured has changed. It is no longer part of the AntiVirus Security profile.

The option to ScanOutgoing Connections to Botnet Sites has been added to the Interface page in the GUI. The options are Disable, Block and Monitor.

In the CLI, the botnet scan can be configured on the interface by entering the following commands:

 

config system interface edit <interface>

set scan-botnet-connections [disable | block | monitor]

end

It is also possible to enable the scanning of botnet and C&C traffic in

• Firewall policies

config firewall policy edit <policyid>

set scan-botnet-connections [disable | block | monitor]

end

• Firewall explicit proxy policies

config firewall explicit-proxy-policy edit <policyid>

set scan-botnet-connections [disable | block | monitor]

end

• Firewall interface policy

config firewall interface-policy edit <policyid>

set scan-botnet-connections [disable | block | monitor]

end

• Firewall sniffer

config firewall sniffer edit <policyid>

set scan-botnet-connections [disable | block | monitor]

end

Netflow 9.0 support (167405)

Netflow is a networking feature introduced by Cisco to collect and export information about traffic flow through routers. IPFIX (Internet Protocol Flow Information Export) is the standardized Internet Protocol based on NetFlow version 9. The standards requirements for IPFIX are outlined in RFC 3197 and its basic specifications and other information are documented in RFC 5103, RFC 6759 and RFC 7011 through RFC 7015.

 

The CLI changes that enable and configure “NetFlow” traffic are:

config system netflow

set collector-ip <collector IP>

set collector-port <NetFlow collector port>

set csource-ip <Source IP for NetFlow agent>

set cactive-flow-timeout <time in minutes of timeout to report active flows>

set cinactive-flow-timeout <time in seconds of timeout for periodic report of finished flows>

end

These setting can also be configured per VDOM by going to:

config system vdom-netflow

A Netflow sampler will also have to be enabled on specific interfaces.

 

IPv6 blackhole static routing (220101)

System administrators use black hole routing to divert undesirable traffic, such as packets from a Denial of Service (DoS) attack or communications from an illegal source. The traffic is routed to a dead interface, or a host designed to collect information for investigation. This mitigates the impact of the attack on the network.

The use of blackhole routing is enabled in the CLI as follows:

config router static6 edit <ID #>

set blackhole enable end

end

 

A collection of Routing changes (261043)

A few new settings have been added to the CLI to assist in the supporting to of the IPsec Auto Discovery feature. They are designed for:

• The support of the RIPng (RIP next generation) network command
• Limiting the maximum metric allowed to output for RIPng
• Fix NSM missing kernel address update info

The actual new settings are:

config router rip

set max-out-metric <integer value 1 – 15>

end

config router ripng

set max-out-metric <integer value 1 – 15>

end

config router ripng config network

edit <ID # of network>

set prefix <IPv6 prefix>

end end