Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Cookbook

6.4.0

Configuring quarantine on SSID

Configuring quarantine on SSID

This topic provides instructions on simple configuration for on SSID. Consider the following for this feature:

  • The quarantine function only works with SSID tunnel mode.
  • The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiWiFi and FortiAP GUI:
  1. In FortiWiFi and FortiAP, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
  2. Edit the SSID:
    1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
    2. Enable Device Detection.
    3. Enable Quarantine Host.
    4. Click OK.
  3. Quarantine a wireless client:
    1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.
      3. Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
    2. Right-click the wireless client, then click Quarantine Host.
To quarantine a wireless client using the FortiWiFi and FortiAP CLI:
  1. Under global quarantine settings, enable quarantine:

    config user quarantine

    set quarantine enable

    end

  2. Under virtual access point (VAP) settings, enable quarantine:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set quarantine enable

    next

    end

  3. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

    config user quarantine

    config targets

    edit "DESKTOP-Surface"

    config macs

    edit b4:ae:2b:cb:d1:72

    set description "Surface"

    next

    end

    next

    end

    end

Configuring quarantine on SSID

Configuring quarantine on SSID

This topic provides instructions on simple configuration for on SSID. Consider the following for this feature:

  • The quarantine function only works with SSID tunnel mode.
  • The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiWiFi and FortiAP GUI:
  1. In FortiWiFi and FortiAP, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
  2. Edit the SSID:
    1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
    2. Enable Device Detection.
    3. Enable Quarantine Host.
    4. Click OK.
  3. Quarantine a wireless client:
    1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.
      3. Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
    2. Right-click the wireless client, then click Quarantine Host.
To quarantine a wireless client using the FortiWiFi and FortiAP CLI:
  1. Under global quarantine settings, enable quarantine:

    config user quarantine

    set quarantine enable

    end

  2. Under virtual access point (VAP) settings, enable quarantine:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set quarantine enable

    next

    end

  3. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

    config user quarantine

    config targets

    edit "DESKTOP-Surface"

    config macs

    edit b4:ae:2b:cb:d1:72

    set description "Surface"

    next

    end

    next

    end

    end