Isolating a Device
An isolated device is one that is blocked from communicating with the outside world (for both sending and receiving). For more details about device isolation, see Investigation.
Note – Isolation mode takes effect upon any attempt to establish a network session after isolation mode has been initiated. Connections that were established before device isolation was initiated remain intact. The same applies for Communication Control denial configuration changes. Note that both Isolation mode and Communication Control denial do not apply on incoming RDP connections and ICMP connections.
To isolate a device using the FortiEDR Collector:
- In the EVENT VIEWER tab, select the checkbox(es) of the security event(s) that you want to isolate, and then click the Forensics button, as shown below:
The following window displays:
- In the Events tab, click the security event that you want to isolate, click the button dropdown arrow and then select Isolate. The following window displays:
- Click the Isolate button. A red icon appears next to the relevant security event in the Events tab to indicate that the applicable Collector has been isolated, as shown below:
To remove isolation from a device:
- In the FORENSICS tab, select the checkbox of the security event whose isolation you want to remove.
- Click the down arrow on the button and select Remove isolation, as shown below.
The following window displays:
- Click the Remove button.