Certain traffic that is emanating from nodes that have been identified as Active bots is being monitored only despite the fact that the SWG is in inline blocking mode and the policy for botnet is set to "block".
Several types of traffic are associated with botnets:
- Botnet C & C
- Bot Sender
- Active Bot
Please refer to KB TECH134542, which gives an overview of the different modes of botnet detection, as well as an explanation Botnet C & C traffic handling.
Bot Sender traffic is always blocked once a node has been identifed as an Actve Bot.
Active bot traffic is treated as follows:
- HTTP –> All Blocked once node identified as Active Bot
- ICMP –> All Blocked once node identified as Active Bot
- TCP –> All Blocked once node identified as Active Bot
- Spam –> Monitored Only
- IP Scan –> Monitored Only
This is working as designed. The appliance does not support blocking Spam and IP scanning traffic. When this type of traffic is detected by heuristic behavior algorithms, it is monitored and marked as default in the policy field.
The SWG is first and foremost a web traffic scanning device; Spam and IP scanning require sophisticated detection and mitigation processes to ensure correct identification and handling. This is better handled by technologies that are specific to this type of traffic such as anti-spam and IDS/IPS systems. The heuristic detection of this traffic by the SWG give only an indication based on traffic patterns, and cannot be relied upon for 100% accuracy.