Configuring quarantine on SSID
This topic provides instructions on simple configuration for on SSID. Consider the following for this feature:
- The quarantine function only works with SSID tunnel mode.
- The quarantine function is independent of SSID security mode.
The following shows a simple network topology for this recipe:
To quarantine a wireless client on the FortiWiFi and FortiAP GUI:
- In FortiWiFi and FortiAP, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
- Edit the SSID:
- Go to WiFi & Switch Controller > SSID, and select the desired SSID.
- Enable Device Detection.
- Enable Quarantine Host.
- Click OK.
- Quarantine a wireless client:
- Do one of the following:
- Go to Security Fabric > Physical Topology. View the topology by access device.
- Go to FortiView > Traffic from LAN/DMZ > Source.
- Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
- Right-click the wireless client, then click Quarantine Host.
- Do one of the following:
To quarantine a wireless client using the FortiWiFi and FortiAP CLI:
- Under global quarantine settings, enable quarantine:
config user quarantine
set quarantine enable
end
- Under virtual access point (VAP) settings, enable quarantine:
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set quarantine enable
next
end
- Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:
config user quarantine
config targets
edit "DESKTOP-Surface"
config macs
edit b4:ae:2b:cb:d1:72
set description "Surface"
next
end
next
end
end