Fortinet black logo

Administration Guide

Quarantine

Quarantine

There are two quarantine modes available: by redirect or by VLAN. The quarantine mode is configured in the CLI.

To configure the quarantine mode:
config switch-controller global 
    set quarantine-mode {by-vlan (default)| by-redirect }
end

Quarantine by redirect

Quarantine by redirect makes the FortiSwitch redirect traffic from the quarantined host to the FortiGate, keeping the device on its original network.

Quarantine by VLAN, which moves the device from the normal switch VLAN to the quarantine VLAN, can be complicated for administrators that use DHCP or static IP address assignments. When a device is sent to quarantine, its IP address is no longer valid for the quarantined VLAN segment, making it difficult to perform remediation on the device. This is the default quarantine mode.

In this example, the PC can access the internet when there is an allowed policy from interface vsw.port11 to port1 (called PC to Internet). When the PC is quarantined, a firewall address is automatically created for the PC, which is added to an automatically created address group called QuarantinedDevices. A policy (called quarantine) is created that applies to this address group and blocks traffic from the PC to the internet.

The FortiSwitch configuration is done automatically after the FortiGate configured.

To quarantine an active device, based on the device's MAC address, in the CLI:
config user quarantine
    set traffic-policy quarantine
    set firewall-groups "QuarantinedDevices"
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn"
                    set drop disable
                next
            end
        next
    end
end

Firewall addresses are automatically created for the quarantined MAC address, and the addresses are added to the QuarantinedDevices address group:

# show firewall address | grep -f qtn
config firewall address
    edit "qtn.mac_00:00:00:00:00:00" <---
        set uuid 9069e73c-3c6e-51ea-28d4-b807167fdcb7
        set type mac
        set comment "Quarantine dummy MAC to keep the addrgrp"
    next
    edit "qtn.mac_00:0c:29:d4:4f:3c" <---
        set uuid 869847ce-3c84-51ea-59c2-964152415e22
        set type mac
        set start-mac 00:0c:29:d4:4f:3c
        set end-mac 00:0c:29:d4:4f:3c
        set comment "Quarantine MAC"
    next
end
# show firewall addrgrp | grep -f Quarantined
config firewall addrgrp
    edit "QuarantinedDevices" <---
        set uuid 9069d332-3c6e-51ea-17e1-cab3dd4dde6c
        set member "qtn.mac_00:00:00:00:00:00" "qtn.mac_00:0c:29:d4:4f:3c"
    next
end
To view the automatic configuration changes on the FortiSwitch:
config switch quarantine
    edit 00:0c:29:d4:4f:3c
        set acl-id 2
        set cos-queue 0
        set description "manual-qtn "
        set policer 1
    next
end
config switch acl ingress
    edit 2
        config action
            set cos-queue 0
            set count enable
            set policer 1
        end
        config classifier
            set src-mac 00:0c:29:d4:4f:3c
        end
        set ingress-interface-all enable
    next
end
To quarantine an active device, based on the device's MAC address, in the GUI:
  1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
  2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.

  3. Click OK in the Quarantine Host page to quarantine the device.

    Firewall addresses and an address group (QuarantinedDeivces) are automatically added for the quarantined devices.

  4. Go to Policy & Objects > Firewall Policy and create a policy to block traffic from quarantined devices to the internet.

Quarantine by VLAN

When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This can limit the device's access, or provide them specific information on the quarantine portal page.

To quarantine an active device, based on the device's MAC address, in the CLI:
config user quarantine
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn "
                next
            end
        next
    end
end
To quarantine an active device, based on the device's MAC address, in the GUI:
  1. Go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
  2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
  3. Click OK in the Quarantine Host page to quarantine the device.

The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change.

The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can access any part of the network.

Releasing or clearing the quarantine targets

To release or clear quarantine targets in the CLI:
config user quarantine
    config targets
        delete "manual-qtn-1"
        ...
    end
end
config user quarantine
    config targets
        purge
    end
end
To release or clear quarantine targets in the GUI:
  1. Go to Dashboard> Status and click Add Widget.
  2. In the Monitor section, click Quarantine.
  3. Select the FortiGate from the dropdown box.
  4. Click Add Widget. The Quarantine widget appears in the dashboard.
  5. In the Quarantine widget, delete the quarantine targets as needed, or click Remove All to delete all the targets.
Tooltip

To create a new dashboard for quarantined targets, see Dashboards and widgets. To create a standalone Quarantine widget, see Using widgets.

Quarantine

There are two quarantine modes available: by redirect or by VLAN. The quarantine mode is configured in the CLI.

To configure the quarantine mode:
config switch-controller global 
    set quarantine-mode {by-vlan (default)| by-redirect }
end

Quarantine by redirect

Quarantine by redirect makes the FortiSwitch redirect traffic from the quarantined host to the FortiGate, keeping the device on its original network.

Quarantine by VLAN, which moves the device from the normal switch VLAN to the quarantine VLAN, can be complicated for administrators that use DHCP or static IP address assignments. When a device is sent to quarantine, its IP address is no longer valid for the quarantined VLAN segment, making it difficult to perform remediation on the device. This is the default quarantine mode.

In this example, the PC can access the internet when there is an allowed policy from interface vsw.port11 to port1 (called PC to Internet). When the PC is quarantined, a firewall address is automatically created for the PC, which is added to an automatically created address group called QuarantinedDevices. A policy (called quarantine) is created that applies to this address group and blocks traffic from the PC to the internet.

The FortiSwitch configuration is done automatically after the FortiGate configured.

To quarantine an active device, based on the device's MAC address, in the CLI:
config user quarantine
    set traffic-policy quarantine
    set firewall-groups "QuarantinedDevices"
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn"
                    set drop disable
                next
            end
        next
    end
end

Firewall addresses are automatically created for the quarantined MAC address, and the addresses are added to the QuarantinedDevices address group:

# show firewall address | grep -f qtn
config firewall address
    edit "qtn.mac_00:00:00:00:00:00" <---
        set uuid 9069e73c-3c6e-51ea-28d4-b807167fdcb7
        set type mac
        set comment "Quarantine dummy MAC to keep the addrgrp"
    next
    edit "qtn.mac_00:0c:29:d4:4f:3c" <---
        set uuid 869847ce-3c84-51ea-59c2-964152415e22
        set type mac
        set start-mac 00:0c:29:d4:4f:3c
        set end-mac 00:0c:29:d4:4f:3c
        set comment "Quarantine MAC"
    next
end
# show firewall addrgrp | grep -f Quarantined
config firewall addrgrp
    edit "QuarantinedDevices" <---
        set uuid 9069d332-3c6e-51ea-17e1-cab3dd4dde6c
        set member "qtn.mac_00:00:00:00:00:00" "qtn.mac_00:0c:29:d4:4f:3c"
    next
end
To view the automatic configuration changes on the FortiSwitch:
config switch quarantine
    edit 00:0c:29:d4:4f:3c
        set acl-id 2
        set cos-queue 0
        set description "manual-qtn "
        set policer 1
    next
end
config switch acl ingress
    edit 2
        config action
            set cos-queue 0
            set count enable
            set policer 1
        end
        config classifier
            set src-mac 00:0c:29:d4:4f:3c
        end
        set ingress-interface-all enable
    next
end
To quarantine an active device, based on the device's MAC address, in the GUI:
  1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
  2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.

  3. Click OK in the Quarantine Host page to quarantine the device.

    Firewall addresses and an address group (QuarantinedDeivces) are automatically added for the quarantined devices.

  4. Go to Policy & Objects > Firewall Policy and create a policy to block traffic from quarantined devices to the internet.

Quarantine by VLAN

When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This can limit the device's access, or provide them specific information on the quarantine portal page.

To quarantine an active device, based on the device's MAC address, in the CLI:
config user quarantine
    config targets
        edit "manual-qtn-1"
            set description "Manually quarantined"
            config macs
                edit 00:0c:29:d4:4f:3c
                    set description "manual-qtn "
                next
            end
        next
    end
end
To quarantine an active device, based on the device's MAC address, in the GUI:
  1. Go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
  2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
  3. Click OK in the Quarantine Host page to quarantine the device.

The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change.

The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can access any part of the network.

Releasing or clearing the quarantine targets

To release or clear quarantine targets in the CLI:
config user quarantine
    config targets
        delete "manual-qtn-1"
        ...
    end
end
config user quarantine
    config targets
        purge
    end
end
To release or clear quarantine targets in the GUI:
  1. Go to Dashboard> Status and click Add Widget.
  2. In the Monitor section, click Quarantine.
  3. Select the FortiGate from the dropdown box.
  4. Click Add Widget. The Quarantine widget appears in the dashboard.
  5. In the Quarantine widget, delete the quarantine targets as needed, or click Remove All to delete all the targets.
Tooltip

To create a new dashboard for quarantined targets, see Dashboards and widgets. To create a standalone Quarantine widget, see Using widgets.