Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Create and Manage SRX Command and Control Profiles

A Command and Control (C&C) profile provides information on C&C servers that have attempted to contact and compromise hosts on your network. A C&C server is a centralized computer that issues commands to botnets of compromised networks of computers and receives reports back from them.

Create Command and Control Profiles

  1. Click SRX > Security Subscriptions > SecIntel > Profiles.
    The SecIntel Profiles page opens.
  2. Select Create > Command & Control.
    The Create Command & Control Profile page appears.
  3. Complete the configuration according to the following guidelines:
    Table 1: Fields on the Create Command & Control Profile page
    Field Action

    Name

    Enter a name for the C&C profile.

    The name must be a unique string of alphanumeric and special characters; 63-character maximum. Special characters < and > are not allowed.

    Description

    Enter a description for the C&C profile.

    Default action for all feeds

    Drag the slider to change the action to be taken for all the feed types. Actions are Permit (1 - 4), Log (5-6), and Block (7 - 10).

    Log will have the permit action and also logs the event.

    Specific action for feeds

    Do the following:

    1. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.) to define feeds and threat score for the C&C profile.

      The Add Feeds window appears.

    2. Enter the following details:

      1. Feeds—Select one or more feeds that are known command and control for botnets from the Available column and move it to the Selected column.

      2. Threat score—Drag the slider to change the action to be taken based on the threat score.

    3. Click OK.

    Block action

    Select one of the following block actions from the list:

    • Close session—Device sends a TCP RST packet to the client and server and the session is dropped immediately.

    • Drop Packets—Device silently drops the session’s packet and the session eventually times out.

    Close session options

    Select one of the following options from the list: None, Redirect URL, or Redirect message.

    Redirect URL

    Enter a remote file URL to redirect users when connections are closed.

    Redirect message

    Enter a custom message to send to the users when connections are closed.
  4. Click OK to save the changes. To discard your changes, click Cancel.

    After creating a C&C profile, you can associate it with the SecIntel profile groups.

Manage Command and Control Profiles

  • Edit—Select the profile, and then click the pencil icon (Blue pencil icon indicating edit functionality.). If the profile is referenced in a firewall policy intent, then the firewall policy is marked for deployment. You must deploy the firewall policy for the changes to take effect on the device.

  • Clone—Select the profile, and then click More > Clone.

  • Delete—Select the profile, and then click the trash can icon (Blue trash can icon representing delete or remove function.).

See Also