Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined MAC addresses are isolated from the rest of the network and LAN.

This section covers the following topics:

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

There are two kinds of quarantines:

  • Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).
  • Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much network resources quarantined devices use.

Starting in FortiOS 6.4.1, quarantine-by-VLAN is the default. If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:

  1. Disable quarantine.
  2. Change the quarantine-mode to by-redirect.
  3. Remove the quarantine VLAN from the switch ports.
  4. Enable quarantine.
To set up a quarantine in FortiOS:

config switch-controller global

set quarantine-mode {by-vlan | by-redirect}

end

 

config user quarantine

set quarantine enable

set traffic-policy <traffic_policy_name>

set firewall-groups <firewall_address_group>

config targets

edit <quarantine_entry_name>

set description <string>

config macs

edit <MAC_address_1>

set drop {enable | disable}

next

edit <MAC_address_2>

set drop {enable | disable}

next

edit <MAC_address_3>

set drop {enable | disable}

next

end

end

end

 

Option Description

quarantine-mode {by-vlan | by-redirect}

Select the quarantine mode:

  • by-vlan sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN.This mode is the default.
  • by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit.

traffic-policy <traffic_policy_name>

Optional. A name for the traffic policy that controls quarantined devices. If you do add a traffic policy, you need to configure it with the config switch-controller traffic-policy command.

firewall-groups <firewall_address_group>

Optional. By default, the firewall address group is QuarantinedDevices. If you are using quarantine-by-redirect, you must use the default firewall address group.

quarantine_entry_name A name for this quarantine entry.
description <string> Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_address_2, MAC_address_3 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

drop {enable | disable}

Enable to drop quarantined device traffic. Disable to send quarantined device traffic to the FortiGate unit.

For example:

config switch-controller global

set quarantine-mode by-redirect

end

 

config user quarantine

set quarantine enable

set traffic-policy qtrafficp

set firewall-groups QuarantinedDevices

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

set drop disable

next

edit 00:11:22:33:44:55

set drop disable

next

edit 00:01:02:03:04:05

set drop disable

next

end

next

end

To configure a traffic policy for quarantined devices in FortiOS:

config switch-controller traffic-policy

edit <traffic_policy_name>

set description <string>

set policer-status enable

set guaranteed-bandwidth <0-524287000>

set guaranteed-burst <0-4294967295>

set maximum-burst <0-4294967295>

set cos-queue <0-7>

end

Option Description

traffic-policy <traffic_policy_name>

Enter a name for the traffic policy that controls quarantined devices.

description <string>

Enter an optional description of the traffic policy.

policer-status enable

Enable the policer configuration to control quarantined devices. It is enabled by default.

guaranteed-bandwidth <0-524287000>

Enter the guaranteed bandwidth in kbps. The maximum value is 524287000. The default value is 0.

guaranteed-burst <0-4294967295>

Enter the guaranteed burst size in bytes. The maximum value is 4294967295. The default value is 0.

maximum-burst <0-4294967295>

The maximum burst size is in bytes. The maximum value is 4294967295. The default value is 0.

set cos-queue <0-7>

Set the class of service for the VLAN traffic. Use the unset cos-queue command to disable this setting.

For example:

config switch-controller traffic-policy

edit qtrafficp

set description "quarantined traffic policy"

set policer-status enable

set guaranteed-bandwidth 10000

set guaranteed-burst 10000

set maximum-burst 10000

unset cos-queue

end

Using quarantine with DHCP

When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By default, the bounce-quarantined-link option is disabled.

To bounce the switch port where a quarantined device was last seen:

config switch-controller global

set bounce-quarantined-link {enable | disable}

end

Using quarantine with 802.1x MAC-based authentication

After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine VLAN 4093 after 802.1x MAC-based authentication is enabled.

To use quarantines with IEEE 802.1x MAC-based authentication:
  1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can verify that quarantine-vlan is enabled with the following commands:
  2.  

    S448DF3X16000118 # config switch global

     

    S448DF3X16000118 (global) # config port-security

     

    S448DF3X16000118 (port-security) # get

    link-down-auth : set-unauth

    mab-reauth : disable

    quarantine-vlan : enable

    reauth-period : 60

    max-reauth-attempt : 0

     

  3. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
  4.  

    S448DF3X16000118 (port17) # show switch interface port17

    config switch interface

    edit "port17"

    set allowed-vlans 4093

    set untagged-vlans 4093

    set security-groups "group1"

    set snmp-index 17

    config port-security

    set auth-fail-vlan disable

    set eap-passthru enable

    set framevid-apply enable

    set guest-auth-delay 30

    set guest-vlan disable

    set mac-auth-bypass enable

    set open-auth disable

    set port-security-mode 802.1X-mac-based

    set quarantine-vlan enable

    set radius-timeout-overwrite disable

    set auth-fail-vlanid 200

    set guest-vlanid 100

    end

    next

    end

     

  5. On the FortiGate unit, quarantine a MAC address. For example:
  6.  

    config user quarantine

    edit "quarantine1"

    config macs

    edit 00:05:65:ad:15:03

    next

    end

    next

    end

     

  7. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the managed FortiSwitch unit received the MAC-VLAN binding with the following command:
  8.  

    S448DF3X16000118 # show switch vlan 4093

    config switch vlan

    edit 4093

    set description "qtn.FLNK10"

    set dhcp-snooping enable

    set access-vlan enable

    config member-by-mac

    edit 1

    set mac 00:05:65:ad:15:03

    next

    end

    next

    end

     

  9. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed FortiSwitch port has the quarantined MAC address. For example:
  10.  

    S448DF3X16000118 # diagnose switch 8 status port17

     

    port17: Mode: mac-based (mac-by-pass enable)

    Link: Link up

    Port State: authorized: ( )

    EAP pass-through mode : Enable

    Quarantine VLAN (4093) detection : Enable

    Native Vlan : 1

    Allowed Vlan list: 1,4093

    Untagged Vlan list: 1,4093

    Guest VLAN :

    Auth-Fail Vlan :

     

    Switch sessions 3/480, Local port sessions:1/20

    Client MAC Type Vlan Dynamic-Vlan

    Quarantined

    00:05:65:ad:15:03 802.1x 1 4093

     

    Sessions info:

    00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41 params:reAuth=1800

     

  11. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address table with the following commands:
  12.  

    S448DF3X16000118 # diagnose switch vlan assignment mac list

    00:05:65:ad:15:03 VLAN: 4093 Installed: yes

    Source: 802.1X-MAC-Radius

    Description: port17

     

    S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093"

    MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses:

show user quarantine

 

For example:

show user quarantine

 

config user quarantine

set quarantine enable

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

next

edit 00:11:22:33:44:55

next

edit 00:01:02:03:04:05

next

end

end

end

 

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN:

show system interface qtn.<FortiLink_port_name>

 

For example:

show system interface qtn.port7

 

config system interface

edit "qtn.port7"

set vdom "vdom1"

set ip 10.254.254.254 255.255.255.0

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-qtn.port7"

set device-identification enable

set device-identification-active-scan enable

set snmp-index 34

set switch-controller-access-vlan enable

set color 6

set interface "port7"

set vlanid 4093

next

end

 

Use the following commands to view the quarantine DHCP server:

show system dhcp server

config system dhcp server

edit 2

set dns-service default

set default-gateway 10.254.254.254

set netmask 255.255.255.0

set interface "qtn.port7"

config ip-range

edit 1

set start-ip 10.254.254.192

set end-ip 10.254.254.253

next

end

set timezone-option default

next

end

 

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

 

For example:

show switch-controller managed-switch

 

config switch-controller managed-switch

edit "FS1D483Z15000036"

set fsw-wan1-peer "port7"

set fsw-wan1-admin enable

set version 1

set dynamic-capability 503

config ports

edit "port1"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port2"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port3"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

...

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine

config targets

edit <quarantine_entry_name>

config macs

delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine

config targets

delete <quarantine_entry_name>

end

end

 

To disable the quarantine feature:

config user quarantine

set quarantine disable

end

 

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined MAC addresses are isolated from the rest of the network and LAN.

This section covers the following topics:

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

There are two kinds of quarantines:

  • Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).
  • Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much network resources quarantined devices use.

Starting in FortiOS 6.4.1, quarantine-by-VLAN is the default. If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:

  1. Disable quarantine.
  2. Change the quarantine-mode to by-redirect.
  3. Remove the quarantine VLAN from the switch ports.
  4. Enable quarantine.
To set up a quarantine in FortiOS:

config switch-controller global

set quarantine-mode {by-vlan | by-redirect}

end

 

config user quarantine

set quarantine enable

set traffic-policy <traffic_policy_name>

set firewall-groups <firewall_address_group>

config targets

edit <quarantine_entry_name>

set description <string>

config macs

edit <MAC_address_1>

set drop {enable | disable}

next

edit <MAC_address_2>

set drop {enable | disable}

next

edit <MAC_address_3>

set drop {enable | disable}

next

end

end

end

 

Option Description

quarantine-mode {by-vlan | by-redirect}

Select the quarantine mode:

  • by-vlan sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN.This mode is the default.
  • by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit.

traffic-policy <traffic_policy_name>

Optional. A name for the traffic policy that controls quarantined devices. If you do add a traffic policy, you need to configure it with the config switch-controller traffic-policy command.

firewall-groups <firewall_address_group>

Optional. By default, the firewall address group is QuarantinedDevices. If you are using quarantine-by-redirect, you must use the default firewall address group.

quarantine_entry_name A name for this quarantine entry.
description <string> Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_address_2, MAC_address_3 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

drop {enable | disable}

Enable to drop quarantined device traffic. Disable to send quarantined device traffic to the FortiGate unit.

For example:

config switch-controller global

set quarantine-mode by-redirect

end

 

config user quarantine

set quarantine enable

set traffic-policy qtrafficp

set firewall-groups QuarantinedDevices

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

set drop disable

next

edit 00:11:22:33:44:55

set drop disable

next

edit 00:01:02:03:04:05

set drop disable

next

end

next

end

To configure a traffic policy for quarantined devices in FortiOS:

config switch-controller traffic-policy

edit <traffic_policy_name>

set description <string>

set policer-status enable

set guaranteed-bandwidth <0-524287000>

set guaranteed-burst <0-4294967295>

set maximum-burst <0-4294967295>

set cos-queue <0-7>

end

Option Description

traffic-policy <traffic_policy_name>

Enter a name for the traffic policy that controls quarantined devices.

description <string>

Enter an optional description of the traffic policy.

policer-status enable

Enable the policer configuration to control quarantined devices. It is enabled by default.

guaranteed-bandwidth <0-524287000>

Enter the guaranteed bandwidth in kbps. The maximum value is 524287000. The default value is 0.

guaranteed-burst <0-4294967295>

Enter the guaranteed burst size in bytes. The maximum value is 4294967295. The default value is 0.

maximum-burst <0-4294967295>

The maximum burst size is in bytes. The maximum value is 4294967295. The default value is 0.

set cos-queue <0-7>

Set the class of service for the VLAN traffic. Use the unset cos-queue command to disable this setting.

For example:

config switch-controller traffic-policy

edit qtrafficp

set description "quarantined traffic policy"

set policer-status enable

set guaranteed-bandwidth 10000

set guaranteed-burst 10000

set maximum-burst 10000

unset cos-queue

end

Using quarantine with DHCP

When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By default, the bounce-quarantined-link option is disabled.

To bounce the switch port where a quarantined device was last seen:

config switch-controller global

set bounce-quarantined-link {enable | disable}

end

Using quarantine with 802.1x MAC-based authentication

After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine VLAN 4093 after 802.1x MAC-based authentication is enabled.

To use quarantines with IEEE 802.1x MAC-based authentication:
  1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can verify that quarantine-vlan is enabled with the following commands:
  2.  

    S448DF3X16000118 # config switch global

     

    S448DF3X16000118 (global) # config port-security

     

    S448DF3X16000118 (port-security) # get

    link-down-auth : set-unauth

    mab-reauth : disable

    quarantine-vlan : enable

    reauth-period : 60

    max-reauth-attempt : 0

     

  3. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
  4.  

    S448DF3X16000118 (port17) # show switch interface port17

    config switch interface

    edit "port17"

    set allowed-vlans 4093

    set untagged-vlans 4093

    set security-groups "group1"

    set snmp-index 17

    config port-security

    set auth-fail-vlan disable

    set eap-passthru enable

    set framevid-apply enable

    set guest-auth-delay 30

    set guest-vlan disable

    set mac-auth-bypass enable

    set open-auth disable

    set port-security-mode 802.1X-mac-based

    set quarantine-vlan enable

    set radius-timeout-overwrite disable

    set auth-fail-vlanid 200

    set guest-vlanid 100

    end

    next

    end

     

  5. On the FortiGate unit, quarantine a MAC address. For example:
  6.  

    config user quarantine

    edit "quarantine1"

    config macs

    edit 00:05:65:ad:15:03

    next

    end

    next

    end

     

  7. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the managed FortiSwitch unit received the MAC-VLAN binding with the following command:
  8.  

    S448DF3X16000118 # show switch vlan 4093

    config switch vlan

    edit 4093

    set description "qtn.FLNK10"

    set dhcp-snooping enable

    set access-vlan enable

    config member-by-mac

    edit 1

    set mac 00:05:65:ad:15:03

    next

    end

    next

    end

     

  9. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed FortiSwitch port has the quarantined MAC address. For example:
  10.  

    S448DF3X16000118 # diagnose switch 8 status port17

     

    port17: Mode: mac-based (mac-by-pass enable)

    Link: Link up

    Port State: authorized: ( )

    EAP pass-through mode : Enable

    Quarantine VLAN (4093) detection : Enable

    Native Vlan : 1

    Allowed Vlan list: 1,4093

    Untagged Vlan list: 1,4093

    Guest VLAN :

    Auth-Fail Vlan :

     

    Switch sessions 3/480, Local port sessions:1/20

    Client MAC Type Vlan Dynamic-Vlan

    Quarantined

    00:05:65:ad:15:03 802.1x 1 4093

     

    Sessions info:

    00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41 params:reAuth=1800

     

  11. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address table with the following commands:
  12.  

    S448DF3X16000118 # diagnose switch vlan assignment mac list

    00:05:65:ad:15:03 VLAN: 4093 Installed: yes

    Source: 802.1X-MAC-Radius

    Description: port17

     

    S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093"

    MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses:

show user quarantine

 

For example:

show user quarantine

 

config user quarantine

set quarantine enable

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

next

edit 00:11:22:33:44:55

next

edit 00:01:02:03:04:05

next

end

end

end

 

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN:

show system interface qtn.<FortiLink_port_name>

 

For example:

show system interface qtn.port7

 

config system interface

edit "qtn.port7"

set vdom "vdom1"

set ip 10.254.254.254 255.255.255.0

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-qtn.port7"

set device-identification enable

set device-identification-active-scan enable

set snmp-index 34

set switch-controller-access-vlan enable

set color 6

set interface "port7"

set vlanid 4093

next

end

 

Use the following commands to view the quarantine DHCP server:

show system dhcp server

config system dhcp server

edit 2

set dns-service default

set default-gateway 10.254.254.254

set netmask 255.255.255.0

set interface "qtn.port7"

config ip-range

edit 1

set start-ip 10.254.254.192

set end-ip 10.254.254.253

next

end

set timezone-option default

next

end

 

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

 

For example:

show switch-controller managed-switch

 

config switch-controller managed-switch

edit "FS1D483Z15000036"

set fsw-wan1-peer "port7"

set fsw-wan1-admin enable

set version 1

set dynamic-capability 503

config ports

edit "port1"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port2"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port3"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

...

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine

config targets

edit <quarantine_entry_name>

config macs

delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine

config targets

delete <quarantine_entry_name>

end

end

 

To disable the quarantine feature:

config user quarantine

set quarantine disable

end