Fortinet black logo

Cookbook

Quarantine

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:900942
Download PDF

Quarantine

When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This can limit the device's access, or provide them specific information on the quarantine portal page.

To quarantine an active device:

Using the CLI, based on the device's MAC address:

config user quarantine
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn "
                next
            end
        next
    end
end

Using the GUI:

  1. On the FortiGate, go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
  2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
  3. Click OK in the Quarantine Host page to quarantine the device.

The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change.

The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can access any part of the network.

Release or clear the quarantine targets:

Using the CLI:

config user quarantine
    config targets
        delete "manual-qtn-1"
        ...
    end
end
config user quarantine
    config targets
        purge
    end
end

Using the GUI:

  1. Go to Monitor > Quarantine Monitor.
  2. Delete the quarantine targets as needed, or click Remove All to delete all the targets.

Quarantine

When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This can limit the device's access, or provide them specific information on the quarantine portal page.

To quarantine an active device:

Using the CLI, based on the device's MAC address:

config user quarantine
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn "
                next
            end
        next
    end
end

Using the GUI:

  1. On the FortiGate, go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
  2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
  3. Click OK in the Quarantine Host page to quarantine the device.

The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change.

The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can access any part of the network.

Release or clear the quarantine targets:

Using the CLI:

config user quarantine
    config targets
        delete "manual-qtn-1"
        ...
    end
end
config user quarantine
    config targets
        purge
    end
end

Using the GUI:

  1. Go to Monitor > Quarantine Monitor.
  2. Delete the quarantine targets as needed, or click Remove All to delete all the targets.