Certain traffic that is emanating from nodes that have been identified as Active bots is being monitored only despite the fact that the SWG is in inline blocking mode and the policy for botnet is set to "block".
Several types of traffic are associated with botnets:
Botnet C & C
Please refer to KB TECH134542, which gives an overview of the different modes of botnet detection, as well as an explanation Botnet C & C traffic handling.
Bot Sender traffic is always blocked once a node has been identifed as an Actve Bot.
Active bot traffic is treated as follows:
HTTP –> All Blocked once node identified as Active Bot
ICMP –> All Blocked once node identified as Active Bot
TCP –> All Blocked once node identified as Active Bot
Spam –> Monitored Only
IP Scan –> Monitored Only
This is working as designed. The appliance does not support blocking Spam and IP scanning traffic. When this type of traffic is detected by heuristic behavior algorithms, it is monitored and marked as default in the policy field.
The SWG is first and foremost a web traffic scanning device; Spam and IP scanning require sophisticated detection and mitigation processes to ensure correct identification and handling. This is better handled by technologies that are specific to this type of traffic such as anti-spam and IDS/IPS systems. The heuristic detection of this traffic by the SWG give only an indication based on traffic patterns, and cannot be relied upon for 100% accuracy.
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.