Fortinet black logo

Administration Guide

FortiNAC Quarantine action

FortiNAC Quarantine action

Users can configure an automation stitch with the FortiNAC Quarantine action with a Compromised Host or Incoming Webhook trigger. When the automation is triggered, the client PC will be quarantined and its MAC address is disabled in the configured FortiNAC.

In this example, the FortiNAC has been configured to join an enabled Security Fabric. See FortiNAC for more information.

The FortiNAC must also be configured to isolate disabled hosts:

To configure an automation stitch with a FortiNAC quarantine action in the GUI:
  1. Create a new API user and generate the API key:
    1. Go to System > Administrators and click Create New > REST API Admin.
    2. Configure the settings as needed.
    3. Click OK. The New API key window opens.
    4. Copy the key to the clipboard and click Close.

    5. Click OK.
  2. Configure the automation stitch trigger:
    1. Go to Security Fabric > Automation and click Create New.
    2. Enter the stitch name (auto_webhook).
    3. Click Add Trigger.
    4. Click Create and select Incoming Webhook.
    5. Enter a name (auto_webhook).
    6. Click OK.
    7. Paste the key in the API admin key field.

    8. Click OK.
    9. Select the trigger in the list and click Apply.
  3. Configure the automation stitch action:
    1. Click Add Action.
    2. Click Create and select FortiNAC Quarantine.
    3. Enter an action name (auto_webhook_quarantine-fortinac) and click OK.
    4. Select the action in the list and click Apply.
    5. Click OK.
  4. On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' --data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
  5. In FortiOS, verify the automation stitch is triggered and the action is executed:
    1. Go to Log & Report > Events and select System Events to confirm that the stitch was activated.
    2. Go to Security Fabric > Automation to see the last time that the stitch was triggered.
    3. In FortiNAC, the Host View shows the status of the client PC. It is quarantined and its MAC address is disabled.

To configure an automation stitch with a FortiNAC quarantine action in the CLI:
  1. Create a new API user and generate the API key:
    config system api-user
        edit "g-api-rw-user"
            set api-key ************
            set accprofile "super_admin"
            set vdom "root"
            config trusthost
                edit 1
                    set ipv4-trusthost 10.6.30.0 255.255.255.0
                next
            end
        next
    end
  2. Configure the automation trigger:
    config system automation-trigger
        edit "auto_webhook"
            set event-type incoming-webhook
        next
    end
  3. Configure the automation action:
    config system automation-action
        edit "auto_webhook_quarantine-fortinac"
            set action-type quarantine-fortinac
        next
    end
  4. Configure the automation stitch:
    config system automation-stitch
        edit "auto_webhook"
            set trigger "auto_webhook"
            config actions
                edit 1
                    set action "auto_webhook_quarantine-fortinac"
                    set required enable
                next
            end
        next
    end
  5. On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' --data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
  6. In FortiOS, verify that the automation stitch is triggered and the action is executed:
    # diagnose test application autod 2
    csf: enabled    root:yes
    version:1592949233 sync time:Tue Jun 23 15:03:15 2020
    
    total stitches activated: 1
    
    stitch: auto_webhook
            destinations: all
            trigger: auto_webhook
    
                    (id:15)service=auto_webhook
    
            local hit: 1 relayed to: 0 relayed from: 0
            actions:
                    auto_webhook_quarantine-fortinac type:quarantine-fortinac interval:0
                    
    date=2020-06-23 time=15:25:44 logdesc="Internal Message" path="system" name="automation-stitch" action="webhook" mkey="auto_webhook" srcip="1.1.1.1" mac="00:0C:29:0B:A6:16" fctuid="A8BA0B12DA694E47BA4ADF24F8358E2F" vdom="root" service="auto_webhook"
    
    date=2020-06-23 time=15:25:44 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1592951144401490054 tz="-0700" logdesc="Automation stitch triggered" stitch="auto_webhook" trigger="auto_webhook" stitchaction="auto_webhook_quarantine-fortinac" from="log" msg="stitch:auto_webhook is triggered."

FortiNAC Quarantine action

Users can configure an automation stitch with the FortiNAC Quarantine action with a Compromised Host or Incoming Webhook trigger. When the automation is triggered, the client PC will be quarantined and its MAC address is disabled in the configured FortiNAC.

In this example, the FortiNAC has been configured to join an enabled Security Fabric. See FortiNAC for more information.

The FortiNAC must also be configured to isolate disabled hosts:

To configure an automation stitch with a FortiNAC quarantine action in the GUI:
  1. Create a new API user and generate the API key:
    1. Go to System > Administrators and click Create New > REST API Admin.
    2. Configure the settings as needed.
    3. Click OK. The New API key window opens.
    4. Copy the key to the clipboard and click Close.

    5. Click OK.
  2. Configure the automation stitch trigger:
    1. Go to Security Fabric > Automation and click Create New.
    2. Enter the stitch name (auto_webhook).
    3. Click Add Trigger.
    4. Click Create and select Incoming Webhook.
    5. Enter a name (auto_webhook).
    6. Click OK.
    7. Paste the key in the API admin key field.

    8. Click OK.
    9. Select the trigger in the list and click Apply.
  3. Configure the automation stitch action:
    1. Click Add Action.
    2. Click Create and select FortiNAC Quarantine.
    3. Enter an action name (auto_webhook_quarantine-fortinac) and click OK.
    4. Select the action in the list and click Apply.
    5. Click OK.
  4. On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' --data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
  5. In FortiOS, verify the automation stitch is triggered and the action is executed:
    1. Go to Log & Report > Events and select System Events to confirm that the stitch was activated.
    2. Go to Security Fabric > Automation to see the last time that the stitch was triggered.
    3. In FortiNAC, the Host View shows the status of the client PC. It is quarantined and its MAC address is disabled.

To configure an automation stitch with a FortiNAC quarantine action in the CLI:
  1. Create a new API user and generate the API key:
    config system api-user
        edit "g-api-rw-user"
            set api-key ************
            set accprofile "super_admin"
            set vdom "root"
            config trusthost
                edit 1
                    set ipv4-trusthost 10.6.30.0 255.255.255.0
                next
            end
        next
    end
  2. Configure the automation trigger:
    config system automation-trigger
        edit "auto_webhook"
            set event-type incoming-webhook
        next
    end
  3. Configure the automation action:
    config system automation-action
        edit "auto_webhook_quarantine-fortinac"
            set action-type quarantine-fortinac
        next
    end
  4. Configure the automation stitch:
    config system automation-stitch
        edit "auto_webhook"
            set trigger "auto_webhook"
            config actions
                edit 1
                    set action "auto_webhook_quarantine-fortinac"
                    set required enable
                next
            end
        next
    end
  5. On a Linux PC accessible by the FortiGate, create a cURL request to trigger the automation stitch:
    root@pc56:~# curl -k -X POST -H 'Authorization: Bearer ckx7d9xdzzx14Nztd1Ncr701dpwwy9' --data '{ "srcip": "1.1.1.1", "mac":"00:0C:29:0B:A6:16", "fctuid": "A8BA0B12DA694E47BA4ADF24F8358E2F"}' https://172.17.48.225:4431/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
  6. In FortiOS, verify that the automation stitch is triggered and the action is executed:
    # diagnose test application autod 2
    csf: enabled    root:yes
    version:1592949233 sync time:Tue Jun 23 15:03:15 2020
    
    total stitches activated: 1
    
    stitch: auto_webhook
            destinations: all
            trigger: auto_webhook
    
                    (id:15)service=auto_webhook
    
            local hit: 1 relayed to: 0 relayed from: 0
            actions:
                    auto_webhook_quarantine-fortinac type:quarantine-fortinac interval:0
                    
    date=2020-06-23 time=15:25:44 logdesc="Internal Message" path="system" name="automation-stitch" action="webhook" mkey="auto_webhook" srcip="1.1.1.1" mac="00:0C:29:0B:A6:16" fctuid="A8BA0B12DA694E47BA4ADF24F8358E2F" vdom="root" service="auto_webhook"
    
    date=2020-06-23 time=15:25:44 logid="0100046600" type="event" subtype="system" level="notice" vd="root" eventtime=1592951144401490054 tz="-0700" logdesc="Automation stitch triggered" stitch="auto_webhook" trigger="auto_webhook" stitchaction="auto_webhook_quarantine-fortinac" from="log" msg="stitch:auto_webhook is triggered."