FortiNAC Quarantine action
Users can configure an automation stitch with the FortiNAC Quarantine action with a Compromised Host or Incoming Webhook trigger. When the automation is triggered, the client PC will be quarantined and its MAC address is disabled in the configured FortiNAC.
In this example, the FortiNAC has been configured to join an enabled Security Fabric (see FortiNAC for more information).
To configure an automation stitch with a FortiNAC quarantine action in the GUI:
- Create a new API user and generate the API key:
- Go to System > Administrators and click Create New > REST API Admin.
- Configure the settings as needed.
- Click OK. The New API key window opens.
- Copy the key to the clipboard and click Close.
- Click OK.
- Configure the automation stitch trigger:
- Go to Security Fabric > Automation and click Create New.
- Enter the stitch name (auto_webhook).
- Click Add Trigger.
- Click Create and select Incoming Webhook.
- Enter a name (auto_webhook).
- Click OK.
- Paste the key in the API admin key field.
- Click OK.
- Select the trigger in the list and click Apply.
- Configure the automation stitch action:
- Click Add Action.
- Click Create and select FortiNAC Quarantine.
- Enter an action name (auto_webhook_quarantine-fortinac) and click OK.
- Select the action in the list and click Apply.
- Click OK.
- On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' --data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
- In FortiOS, verify the automation stitch is triggered and the action is executed:
- Go to Log & Report > Events and select System Events to confirm that the stitch was activated.
- Go to Security Fabric > Automation to see the last time that the stitch was triggered.
In FortiNAC, the Host View shows the status of the client PC. It is quarantined and its MAC address is disabled.
To configure an automation stitch with a FortiNAC quarantine action in the CLI:
- Create a new API user and generate the API key:
config system api-user edit "g-api-rw-user" set api-key ************ set accprofile "super_admin" set vdom "root" config trusthost edit 1 set ipv4-trusthost 10.6.30.0 255.255.255.0 next end next end
- Configure the automation trigger:
config system automation-trigger edit "auto_webhook" set event-type incoming-webhook next end
-
Configure the automation action:
config system automation-action edit "auto_webhook_quarantine-fortinac" set action-type quarantine-fortinac next end
-
Configure the automation stitch:
config system automation-stitch edit "auto_webhook" set trigger "auto_webhook" set action "auto_webhook_quarantine-fortinac" next end
- On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' --data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
- In FortiOS, verify that the automation stitch is triggered and the action is executed:
# diagnose test application autod 2 csf: enabled root:yes version:1592949233 sync time:Tue Jun 23 15:03:15 2020 total stitches activated: 1 stitch: auto_webhook destinations: all trigger: auto_webhook (id:15)service=auto_webhook local hit: 1 relayed to: 0 relayed from: 0 actions: auto_webhook_quarantine-fortinac type:quarantine-fortinac interval:0 date=2020-06-23 time=15:25:44 logdesc="Internal Message" path="system" name="automation-stitch" action="webhook" mkey="auto_webhook" srcip="1.1.1.1" mac="00:0C:29:0B:A6:16" fctuid="A8BA0B12DA694E47BA4ADF24F8358E2F" vdom="root" service="auto_webhook" date=2020-06-23 time=15:25:44 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1592951144401490054 tz="-0700" logdesc="Automation stitch triggered" stitch="auto_webhook" trigger="auto_webhook" stitchaction="auto_webhook_quarantine-fortinac" from="log" msg="stitch:auto_webhook is triggered."