We are using Symantec Web Gateway, version 5.0.3.18. The questions I have regard adding blacklists to be blocked.
First, I have noticed a suspect botnet detected on our domain controller. It shows that it is beng monitored and that three different command and control ip addresses have been detected. When I click on two of the three ips it shows a web address also and the location of the ip, but on one it shows unknown. I want to add these ips to the swg black list, but want to make sure I do it correctly. I have added blacklists before but it seems that one of the ips that is showing as a botnet suspect I have already added to the blacklist in swg, but since it is being detected as a botnet suspect again I assume it is not blocking. I have been adding the ip address to block, but do I need to also add the url?
I have attached a word doc showing the suspected botnet detected and how I added it in the black list. Maybe I am not doing it right because it seems that even with me adding the ip address to block that some site are accessed by typing the url.
Also, I have only added blacklist entries and have not done anything in the configuration section of policies.