Virtual Secure Web Gateway

 View Only
  • 1.  Botnet C&C MOnitored not blocked

    Posted Mar 23, 2012 10:12 AM

    There was a similat forum discussion but it was locked with no real solution.

     

    8450 running in span/tap.  Botnet set to block in configuration.  Botnet C&C only monitored.  All I get in the Botnet list is a public IP address that times out on ping, doesn't have a website, and isn't accessible in any way I can come up with.  Any idea why this isn't getting blocked and how I can force it to be?  Is there any way to get more information out of the reports/logs?



  • 2.  RE: Botnet C&C MOnitored not blocked

    Posted Mar 23, 2012 12:07 PM

    In this mode, the SWG is only able to see the traffic after it has been through the switch.  That being the case, it can only tell you about a botnet connection after it has happened and so cannot block it.  The same goes for why it cannot block file download and the like in SPAN/TAP mode.

    #EDIT#

    If it's inconsistent behaviour you're seeing, is it possible your SWG is overloaded?  This sort of behaviour is covered for URL filtering in the below article:

    http://www.symantec.com/docs/TECH163340

    #EDIT2#

    Also, some types of botnet traffic are only ever monitored as per the below article:

    http://www.symantec.com/docs/TECH138303