Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

Configuring quarantine on SSID

This topic provides instructions on simple configuration for on SSID. Consider the following for this feature:

  • The quarantine function only works with SSID tunnel mode.
  • The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiWiFi and FortiAP GUI:
  1. In FortiWiFi and FortiAP, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
  2. Edit the SSID:
    1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
    2. Enable Device Detection.
    3. Enable Quarantine Host.
    4. Click OK.
  3. Quarantine a wireless client:
    1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.
      3. Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
    2. Right-click the wireless client, then click Quarantine Host.
To quarantine a wireless client using the FortiWiFi and FortiAP CLI:
  1. Under global quarantine settings, enable quarantine:

    config user quarantine

    set quarantine enable

    end

  2. Under virtual access point (VAP) settings, enable quarantine:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set quarantine enable

    next

    end

  3. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

    config user quarantine

    config targets

    edit "DESKTOP-Surface"

    config macs

    edit b4:ae:2b:cb:d1:72

    set description "Surface"

    next

    end

    next

    end

    end

Configuring quarantine on SSID

This topic provides instructions on simple configuration for on SSID. Consider the following for this feature:

  • The quarantine function only works with SSID tunnel mode.
  • The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiWiFi and FortiAP GUI:
  1. In FortiWiFi and FortiAP, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
  2. Edit the SSID:
    1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
    2. Enable Device Detection.
    3. Enable Quarantine Host.
    4. Click OK.
  3. Quarantine a wireless client:
    1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.
      3. Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
    2. Right-click the wireless client, then click Quarantine Host.
To quarantine a wireless client using the FortiWiFi and FortiAP CLI:
  1. Under global quarantine settings, enable quarantine:

    config user quarantine

    set quarantine enable

    end

  2. Under virtual access point (VAP) settings, enable quarantine:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set quarantine enable

    next

    end

  3. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

    config user quarantine

    config targets

    edit "DESKTOP-Surface"

    config macs

    edit b4:ae:2b:cb:d1:72

    set description "Surface"

    next

    end

    next

    end

    end