Quarantines
Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined MAC addresses are isolated from the rest of the network and LAN.
This section covers the following topics:
- Quarantining MAC addresses
- Using quarantine with DHCP
- Using quarantine with 802.1x MAC-based authentication
- Viewing quarantine entries
- Releasing MAC addresses from quarantine
Quarantining MAC addresses
You can use the FortiGate GUI or CLI to quarantine a MAC address.
NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.
Using the FortiGate GUI
In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.
- Select the host to quarantine.
- Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
- Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
- Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
- Select Accept to confirm that you want to quarantine the host.
Using the FortiGate CLI
NOTE: Previously, this feature used the config switch-controller quarantine
CLI command.
There are two kinds of quarantines:
- Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).
- Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).
By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.
You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.
The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.
Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much network resources quarantined devices use.
Starting in FortiOS 6.4.1, quarantine-by-VLAN is the default. If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:
- Disable quarantine.
- Change the quarantine-mode to
by-redirect
. - Remove the quarantine VLAN from the switch ports.
- Enable quarantine.
To set up a quarantine in FortiOS:
config switch-controller global
set quarantine-mode {by-vlan | by-redirect}
end
config user quarantine
set quarantine enable
set traffic-policy <traffic_policy_name>
set firewall-groups <firewall_address_group>
config targets
edit <quarantine_entry_name>
set description <string>
config macs
edit <MAC_address_1>
set drop {enable | disable}
next
edit <MAC_address_2>
set drop {enable | disable}
next
edit <MAC_address_3>
set drop {enable | disable}
next
end
end
end
Option | Description |
---|---|
quarantine-mode {by-vlan | by-redirect} |
Select the quarantine mode:
|
traffic-policy <traffic_policy_name> |
Optional. A name for the traffic policy that controls quarantined devices. If you do add a traffic policy, you need to configure it with the |
firewall-groups <firewall_address_group> |
Optional. By default, the firewall address group is |
quarantine_entry_name | A name for this quarantine entry. |
description <string> | Optional. A description of the MAC addresses being quarantined. |
MAC_address_1, MAC_address_2, MAC_address_3 | A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
|
drop {enable | disable} |
Enable to drop quarantined device traffic. Disable to send quarantined device traffic to the FortiGate unit. |
For example:
config switch-controller global
set quarantine-mode by-redirect
end
config user quarantine
set quarantine enable
set traffic-policy qtrafficp
set firewall-groups QuarantinedDevices
config targets
edit quarantine1
config macs
set description "infected by virus"
edit 00:00:00:aa:bb:cc
set drop disable
next
edit 00:11:22:33:44:55
set drop disable
next
edit 00:01:02:03:04:05
set drop disable
next
end
next
end
To configure a traffic policy for quarantined devices in FortiOS:
config switch-controller traffic-policy
edit <traffic_policy_name>
set description <string>
set policer-status enable
set guaranteed-bandwidth <0-524287000>
set guaranteed-burst <0-4294967295>
set maximum-burst <0-4294967295>
set cos-queue <0-7>
end
Option | Description |
---|---|
traffic-policy <traffic_policy_name> |
Enter a name for the traffic policy that controls quarantined devices. |
description <string> |
Enter an optional description of the traffic policy. |
policer-status enable |
Enable the policer configuration to control quarantined devices. It is enabled by default. |
guaranteed-bandwidth <0-524287000> |
Enter the guaranteed bandwidth in kbps. The maximum value is 524287000. The default value is 0. |
guaranteed-burst <0-4294967295> |
Enter the guaranteed burst size in bytes. The maximum value is 4294967295. The default value is 0. |
maximum-burst <0-4294967295> |
The maximum burst size is in bytes. The maximum value is 4294967295. The default value is 0. |
set cos-queue <0-7> |
Set the class of service for the VLAN traffic. Use the |
For example:
config switch-controller traffic-policy
edit qtrafficp
set description "quarantined traffic policy"
set policer-status enable
set guaranteed-bandwidth 10000
set guaranteed-burst 10000
set maximum-burst 10000
unset cos-queue
end
Using quarantine with DHCP
When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By default, the bounce-quarantined-link option is disabled.
To bounce the switch port where a quarantined device was last seen:
config switch-controller global
set bounce-quarantined-link {enable | disable}
end
Using quarantine with 802.1x MAC-based authentication
After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine VLAN 4093 after 802.1x MAC-based authentication is enabled.
To use quarantines with IEEE 802.1x MAC-based authentication:
- By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can verify that quarantine-vlan is enabled with the following commands:
- By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
- On the FortiGate unit, quarantine a MAC address. For example:
- The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the managed FortiSwitch unit received the MAC-VLAN binding with the following command:
- The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed FortiSwitch port has the quarantined MAC address. For example:
- The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address table with the following commands:
S448DF3X16000118 # config switch global
S448DF3X16000118 (global) # config port-security
S448DF3X16000118 (port-security) # get
link-down-auth : set-unauth
mab-reauth : disable
quarantine-vlan : enable
reauth-period : 60
max-reauth-attempt : 0
S448DF3X16000118 (port17) # show switch interface port17
config switch interface
edit "port17"
set allowed-vlans 4093
set untagged-vlans 4093
set security-groups "group1"
set snmp-index 17
config port-security
set auth-fail-vlan disable
set eap-passthru enable
set framevid-apply enable
set guest-auth-delay 30
set guest-vlan disable
set mac-auth-bypass enable
set open-auth disable
set port-security-mode 802.1X-mac-based
set quarantine-vlan enable
set radius-timeout-overwrite disable
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end
config user quarantine
edit "quarantine1"
config macs
edit 00:05:65:ad:15:03
next
end
next
end
S448DF3X16000118 # show switch vlan 4093
config switch vlan
edit 4093
set description "qtn.FLNK10"
set dhcp-snooping enable
set access-vlan enable
config member-by-mac
edit 1
set mac 00:05:65:ad:15:03
next
end
next
end
S448DF3X16000118 # diagnose switch 8 status port17
port17: Mode: mac-based (mac-by-pass enable)
Link: Link up
Port State: authorized: ( )
EAP pass-through mode : Enable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 1
Allowed Vlan list: 1,4093
Untagged Vlan list: 1,4093
Guest VLAN :
Auth-Fail Vlan :
Switch sessions 3/480, Local port sessions:1/20
Client MAC Type Vlan Dynamic-Vlan
Quarantined
00:05:65:ad:15:03 802.1x 1 4093
Sessions info:
00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41 params:reAuth=1800
S448DF3X16000118 # diagnose switch vlan assignment mac list
00:05:65:ad:15:03 VLAN: 4093 Installed: yes
Source: 802.1X-MAC-Radius
Description: port17
S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093"
MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)
Viewing quarantine entries
Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.
Using the FortiGate GUI
- Go to Monitor > Quarantine Monitor.
- Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.
Using the FortiGate CLI
Use the following command to view the quarantine list of MAC addresses:
show user quarantine
For example:
show user quarantine
config user quarantine
set quarantine enable
config targets
edit quarantine1
config macs
set description "infected by virus"
edit 00:00:00:aa:bb:cc
next
edit 00:11:22:33:44:55
next
edit 00:01:02:03:04:05
next
end
end
end
When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.
Use the following command to view the quarantine VLAN:
show system interface qtn.<FortiLink_port_name>
For example:
show system interface qtn.port7
config system interface
edit "qtn.port7"
set vdom "vdom1"
set ip 10.254.254.254 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-qtn.port7"
set device-identification enable
set device-identification-active-scan enable
set snmp-index 34
set switch-controller-access-vlan enable
set color 6
set interface "port7"
set vlanid 4093
next
end
Use the following commands to view the quarantine DHCP server:
show system dhcp server
config system dhcp server
edit 2
set dns-service default
set default-gateway 10.254.254.254
set netmask 255.255.255.0
set interface "qtn.port7"
config ip-range
edit 1
set start-ip 10.254.254.192
set end-ip 10.254.254.253
next
end
set timezone-option default
next
end
Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:
show switch-controller managed-switch
For example:
show switch-controller managed-switch
config switch-controller managed-switch
edit "FS1D483Z15000036"
set fsw-wan1-peer "port7"
set fsw-wan1-admin enable
set version 1
set dynamic-capability 503
config ports
edit "port1"
set vlan "vsw.port7"
set allowed-vlans "qtn.port7"
set untagged-vlans "qtn.port7"
next
edit "port2"
set vlan "vsw.port7"
set allowed-vlans "qtn.port7"
set untagged-vlans "qtn.port7"
next
edit "port3"
set vlan "vsw.port7"
set allowed-vlans "qtn.port7"
set untagged-vlans "qtn.port7"
next
...
end
end
Releasing MAC addresses from quarantine
Using the FortiGate GUI
- Go to Monitor > Quarantine Monitor.
- Click Quarantined on FortiSwitch.
- Right-click on one of the entries and select Delete or Remove All.
- Click OK to confirm your choice.
Using the FortiGate CLI
To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.
To delete a single quarantined MAC address:
config user quarantine
config targets
edit <quarantine_entry_name>
config macs
delete <MAC_address_1>
end
end
end
To delete all MAC addresses in a quarantine entry:
config user quarantine
config targets
delete <quarantine_entry_name>
end
end
To disable the quarantine feature:
config user quarantine
set quarantine disable
end