Switch controller - quarantine by redirect
Quarantine by redirect makes the FortiSwitch redirect traffic from the quarantined host to the FortiGate, keeping the device on its original network. This is the default quarantine mode.
Quarantine by VLAN, which moves the device from the normal switch VLAN to the quarantine VLAN, can be complicated for administrators that use DHCP or static IP address assignments. When a device is sent to quarantine, its IP address is no longer valid for the quarantined VLAN segment, making it difficult to perform remediation on the device.
In this example, the PC can access the internet when there is an allowed policy from interface vsw.port11 to port1 (called PC to Internet). When the PC is quarantined, a firewall address is automatically created for the PC, which is added to an automatically created address group called QuarantinedDevices. A policy (called quarantine) is created that applies to this address group and blocks traffic from the PC to the internet.
The FortiSwitch configuration is done automatically after the FortiGate configured.
To configure the quarantine mode:
config switch-controller global set quarantine-mode {by-vlan | by-redirect (default)} end
To quarantine an active device, based on the device's MAC address, in the GUI:
- Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology.
- Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
- Click OK in the Quarantine Host page to quarantine the device.
Firewall addresses and an address group (QuarantinedDeivces) are automatically added for the quarantined devices.
- Go to Policy & Objects > Firewall Policy and create a policy to block traffic from quarantined devices to the internet.
To quarantine an active device, based on the device's MAC address, in the CLI:
config user quarantine set traffic-policy quarantine set firewall-groups "QuarantinedDevices" config targets edit "manual-qtn-1" set description "Manually quarantined" config macs edit 00:0c:29:d4:4f:3c set description "manual-qtn" set drop disable next end next end end
Firewall addresses are automatically created for the quarantined MAC address, and the addresses are added to the QuarantinedDevices address group:
# show firewall address | grep -f qtn config firewall address edit "qtn.mac_00:00:00:00:00:00" <--- set uuid 9069e73c-3c6e-51ea-28d4-b807167fdcb7 set type mac set comment "Quarantine dummy MAC to keep the addrgrp" next edit "qtn.mac_00:0c:29:d4:4f:3c" <--- set uuid 869847ce-3c84-51ea-59c2-964152415e22 set type mac set start-mac 00:0c:29:d4:4f:3c set end-mac 00:0c:29:d4:4f:3c set comment "Quarantine MAC" next end
# show firewall addrgrp | grep -f Quarantined config firewall addrgrp edit "QuarantinedDevices" <--- set uuid 9069d332-3c6e-51ea-17e1-cab3dd4dde6c set member "qtn.mac_00:00:00:00:00:00" "qtn.mac_00:0c:29:d4:4f:3c" next end
To view the automatic configuration changes on the FortiSwitch:
config switch quarantine edit 00:0c:29:d4:4f:3c set acl-id 2 set cos-queue 0 set description "manual-qtn " set policer 1 next end config switch acl ingress edit 2 config action set cos-queue 0 set count enable set policer 1 end config classifier set src-mac 00:0c:29:d4:4f:3c end set ingress-interface-all enable next end