Quarantine
There are two quarantine modes available: by redirect or by VLAN. The quarantine mode is configured in the CLI.
To configure the quarantine mode:
config switch-controller global set quarantine-mode {by-vlan (default)| by-redirect } end
Quarantine by redirect
Quarantine by redirect makes the FortiSwitch redirect traffic from the quarantined host to the FortiGate, keeping the device on its original network.
Quarantine by VLAN, which moves the device from the normal switch VLAN to the quarantine VLAN, can be complicated for administrators that use DHCP or static IP address assignments. When a device is sent to quarantine, its IP address is no longer valid for the quarantined VLAN segment, making it difficult to perform remediation on the device. This is the default quarantine mode.
In this example, the PC can access the internet when there is an allowed policy from interface vsw.port11 to port1 (called PC to Internet). When the PC is quarantined, a firewall address is automatically created for the PC, which is added to an automatically created address group called QuarantinedDevices. A policy (called quarantine) is created that applies to this address group and blocks traffic from the PC to the internet.
The FortiSwitch configuration is done automatically after the FortiGate configured.
To quarantine an active device, based on the device's MAC address, in the CLI:
config user quarantine set traffic-policy quarantine set firewall-groups "QuarantinedDevices" config targets edit "manual-qtn-1" set description "Manually quarantined" config macs edit 00:0c:29:d4:4f:3c set description "manual-qtn" set drop disable next end next end end
Firewall addresses are automatically created for the quarantined MAC address, and the addresses are added to the QuarantinedDevices address group:
# show firewall address | grep -f qtn config firewall address edit "qtn.mac_00:00:00:00:00:00" <--- set uuid 9069e73c-3c6e-51ea-28d4-b807167fdcb7 set type mac set comment "Quarantine dummy MAC to keep the addrgrp" next edit "qtn.mac_00:0c:29:d4:4f:3c" <--- set uuid 869847ce-3c84-51ea-59c2-964152415e22 set type mac set start-mac 00:0c:29:d4:4f:3c set end-mac 00:0c:29:d4:4f:3c set comment "Quarantine MAC" next end
# show firewall addrgrp | grep -f Quarantined config firewall addrgrp edit "QuarantinedDevices" <--- set uuid 9069d332-3c6e-51ea-17e1-cab3dd4dde6c set member "qtn.mac_00:00:00:00:00:00" "qtn.mac_00:0c:29:d4:4f:3c" next end
To view the automatic configuration changes on the FortiSwitch:
config switch quarantine edit 00:0c:29:d4:4f:3c set acl-id 2 set cos-queue 0 set description "manual-qtn " set policer 1 next end config switch acl ingress edit 2 config action set cos-queue 0 set count enable set policer 1 end config classifier set src-mac 00:0c:29:d4:4f:3c end set ingress-interface-all enable next end
To quarantine an active device, based on the device's MAC address, in the GUI:
- Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
- Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
- Click OK in the Quarantine Host page to quarantine the device.
Firewall addresses and an address group (QuarantinedDeivces) are automatically added for the quarantined devices.
- Go to Policy & Objects > Firewall Policy and create a policy to block traffic from quarantined devices to the internet.
Quarantine by VLAN
When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This can limit the device's access, or provide them specific information on the quarantine portal page.
To quarantine an active device, based on the device's MAC address, in the CLI:
config user quarantine config targets edit "manual-qtn-1" set description "Manually quarantined" config macs edit 00:0c:29:d4:4f:3c set description "manual-qtn " next end next end end
To quarantine an active device, based on the device's MAC address, in the GUI:
- Go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
- Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
- Click OK in the Quarantine Host page to quarantine the device.
The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change.
The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can access any part of the network.
Releasing or clearing the quarantine targets
To release or clear quarantine targets in the CLI:
config user quarantine config targets delete "manual-qtn-1" ... end end
config user quarantine config targets purge end end
To release or clear quarantine targets in the GUI:
- Go to Dashboard> Status and click Add Widget.
- In the Monitor section, click Quarantine.
- Select the FortiGate from the dropdown box.
- Click Add Widget. The Quarantine widget appears in the dashboard.
- In the Quarantine widget, delete the quarantine targets as needed, or click Remove All to delete all the targets.
To create a new dashboard for quarantined targets, see Dashboards and widgets. To create a standalone Quarantine widget, see Using widgets. |