Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    6.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Switch controller - quarantine by redirect

    Switch controller - quarantine by redirect

    Quarantine by redirect makes the FortiSwitch redirect traffic from the quarantined host to the FortiGate, keeping the device on its original network. This is the default quarantine mode.

    Quarantine by VLAN, which moves the device from the normal switch VLAN to the quarantine VLAN, can be complicated for administrators that use DHCP or static IP address assignments. When a device is sent to quarantine, its IP address is no longer valid for the quarantined VLAN segment, making it difficult to perform remediation on the device.

    In this example, the PC can access the internet when there is an allowed policy from interface vsw.port11 to port1 (called PC to Internet). When the PC is quarantined, a firewall address is automatically created for the PC, which is added to an automatically created address group called QuarantinedDevices. A policy (called quarantine) is created that applies to this address group and blocks traffic from the PC to the internet.

    The FortiSwitch configuration is done automatically after the FortiGate configured.

    To configure the quarantine mode:
    config switch-controller global 
    set quarantine-mode {by-vlan | by-redirect (default)}
end
    To quarantine an active device, based on the device's MAC address, in the GUI:
    1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
    2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.

    3. Click OK in the Quarantine Host page to quarantine the device.

      Firewall addresses and an address group (QuarantinedDeivces) are automatically added for the quarantined devices.

    4. Go to Policy & Objects > Firewall Policy and create a policy to block traffic from quarantined devices to the internet.

    To quarantine an active device, based on the device's MAC address, in the CLI:
    config user quarantine
    set traffic-policy quarantine
    set firewall-groups "QuarantinedDevices"
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn"
                    set drop disable
                next
            end
        next
    end
end

    Firewall addresses are automatically created for the quarantined MAC address, and the addresses are added to the QuarantinedDevices address group:

    # show firewall address | grep -f qtn
config firewall address
    edit "qtn.mac_00:00:00:00:00:00" <---
        set uuid 9069e73c-3c6e-51ea-28d4-b807167fdcb7
        set type mac
        set comment "Quarantine dummy MAC to keep the addrgrp"
    next
    edit "qtn.mac_00:0c:29:d4:4f:3c" <---
        set uuid 869847ce-3c84-51ea-59c2-964152415e22
        set type mac
        set start-mac 00:0c:29:d4:4f:3c
        set end-mac 00:0c:29:d4:4f:3c
        set comment "Quarantine MAC"
    next
end
    # show firewall addrgrp | grep -f Quarantined
config firewall addrgrp
    edit "QuarantinedDevices" <---
        set uuid 9069d332-3c6e-51ea-17e1-cab3dd4dde6c
        set member "qtn.mac_00:00:00:00:00:00" "qtn.mac_00:0c:29:d4:4f:3c"
    next
end
    To view the automatic configuration changes on the FortiSwitch:
    config switch quarantine
    edit 00:0c:29:d4:4f:3c
        set acl-id 2
        set cos-queue 0
        set description "manual-qtn "
        set policer 1
    next
end
config switch acl ingress
    edit 2
        config action
            set cos-queue 0
            set count enable
            set policer 1
        end
        config classifier
            set src-mac 00:0c:29:d4:4f:3c
        end
        set ingress-interface-all enable
    next
end
    Previous
    Next

    Switch controller - quarantine by redirect

    Switch controller - quarantine by redirect

    Quarantine by redirect makes the FortiSwitch redirect traffic from the quarantined host to the FortiGate, keeping the device on its original network. This is the default quarantine mode.

    Quarantine by VLAN, which moves the device from the normal switch VLAN to the quarantine VLAN, can be complicated for administrators that use DHCP or static IP address assignments. When a device is sent to quarantine, its IP address is no longer valid for the quarantined VLAN segment, making it difficult to perform remediation on the device.

    In this example, the PC can access the internet when there is an allowed policy from interface vsw.port11 to port1 (called PC to Internet). When the PC is quarantined, a firewall address is automatically created for the PC, which is added to an automatically created address group called QuarantinedDevices. A policy (called quarantine) is created that applies to this address group and blocks traffic from the PC to the internet.

    The FortiSwitch configuration is done automatically after the FortiGate configured.

    To configure the quarantine mode:
    config switch-controller global 
    set quarantine-mode {by-vlan | by-redirect (default)}
end
    To quarantine an active device, based on the device's MAC address, in the GUI:
    1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
    2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.

    3. Click OK in the Quarantine Host page to quarantine the device.

      Firewall addresses and an address group (QuarantinedDeivces) are automatically added for the quarantined devices.

    4. Go to Policy & Objects > Firewall Policy and create a policy to block traffic from quarantined devices to the internet.

    To quarantine an active device, based on the device's MAC address, in the CLI:
    config user quarantine
    set traffic-policy quarantine
    set firewall-groups "QuarantinedDevices"
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn"
                    set drop disable
                next
            end
        next
    end
end

    Firewall addresses are automatically created for the quarantined MAC address, and the addresses are added to the QuarantinedDevices address group:

    # show firewall address | grep -f qtn
config firewall address
    edit "qtn.mac_00:00:00:00:00:00" <---
        set uuid 9069e73c-3c6e-51ea-28d4-b807167fdcb7
        set type mac
        set comment "Quarantine dummy MAC to keep the addrgrp"
    next
    edit "qtn.mac_00:0c:29:d4:4f:3c" <---
        set uuid 869847ce-3c84-51ea-59c2-964152415e22
        set type mac
        set start-mac 00:0c:29:d4:4f:3c
        set end-mac 00:0c:29:d4:4f:3c
        set comment "Quarantine MAC"
    next
end
    # show firewall addrgrp | grep -f Quarantined
config firewall addrgrp
    edit "QuarantinedDevices" <---
        set uuid 9069d332-3c6e-51ea-17e1-cab3dd4dde6c
        set member "qtn.mac_00:00:00:00:00:00" "qtn.mac_00:0c:29:d4:4f:3c"
    next
end
    To view the automatic configuration changes on the FortiSwitch:
    config switch quarantine
    edit 00:0c:29:d4:4f:3c
        set acl-id 2
        set cos-queue 0
        set description "manual-qtn "
        set policer 1
    next
end
config switch acl ingress
    edit 2
        config action
            set cos-queue 0
            set count enable
            set policer 1
        end
        config classifier
            set src-mac 00:0c:29:d4:4f:3c
        end
        set ingress-interface-all enable
    next
end
    Previous
    Next