Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.0 Administration Guide

Isolating a device

5.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0
Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:463021
Download PDF

Isolating a device

An isolated device is one that is blocked from communicating with the outside world (for both sending and receiving). For more details about device isolation, see Investigation.

Note

Isolation mode takes effect upon any attempt to establish a network session after isolation mode has been initiated. Connections that were established before device isolation was initiated remain intact. The same applies for Communication Control denial configuration changes. Note that both Isolation mode and Communication Control denial do not apply on incoming RDP connections and ICMP connections.
To isolate a device using the FortiEDR Collector:
  1. In the EVENT VIEWER tab, select the checkbox(es) of the security event(s) that you want to isolate, and then click the Forensics button, as shown below:

    The following window displays:

  2. In the Events tab, click the security event that you want to isolate, click the Isolate button dropdown arrow and then select Isolate. The following window displays:

  3. Click Isolate. A red icon appears next to the relevant security event in the Events tab to indicate that the applicable Collector has been isolated, as shown below:

To remove isolation from a device:
  1. In the FORENSICS tab, select the checkbox of the security event whose isolation you want to remove.
  2. Click the down arrow on the Isolate button and select Remove isolation, as shown below.

    The following window displays:

  3. Click Remove.
Previous
Next

Isolating a device

An isolated device is one that is blocked from communicating with the outside world (for both sending and receiving). For more details about device isolation, see Investigation.

Note

Isolation mode takes effect upon any attempt to establish a network session after isolation mode has been initiated. Connections that were established before device isolation was initiated remain intact. The same applies for Communication Control denial configuration changes. Note that both Isolation mode and Communication Control denial do not apply on incoming RDP connections and ICMP connections.
To isolate a device using the FortiEDR Collector:
  1. In the EVENT VIEWER tab, select the checkbox(es) of the security event(s) that you want to isolate, and then click the Forensics button, as shown below:

    The following window displays:

  2. In the Events tab, click the security event that you want to isolate, click the Isolate button dropdown arrow and then select Isolate. The following window displays:

  3. Click Isolate. A red icon appears next to the relevant security event in the Events tab to indicate that the applicable Collector has been isolated, as shown below:

To remove isolation from a device:
  1. In the FORENSICS tab, select the checkbox of the security event whose isolation you want to remove.
  2. Click the down arrow on the Isolate button and select Remove isolation, as shown below.

    The following window displays:

  3. Click Remove.
Previous
Next