Quarantines (410828)

Quarantines (410828)

Quarantined MAC addresses are blocked on the connected FortiSwitches from the network and the LAN.

NOTE: You must enable the quarantine feature in the FortiGate CLI using the set quarantine enable command. You can add MAC addresses to the quarantine list before enabling the quarantine feature, but the quarantine does not go into effect until enabled.

Quarantining a MAC address

Using the FortiGate GUI

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Click OK to confirm that you want to quarantine the host.

Using the FortiGate CLI

config switch-controller quarantine set quarantine enable edit <MAC_address> set description <string>

set tags <tag1 tag2 tag3 …>

next

next

end

Option Description
MAC_address A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
string Optional. A description of the MAC address being quarantined.
tag1 tag2 tag3 … Optional. A list of arbitrary strings.

Viewing quarantine entries

Quarantine entries are created on the FortiGate that is managing the FortiSwitch.

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses: show switch-controller quarantine

When the quarantine feature is enabled on the FortiGate, it creates a quarantine VLAN (qtn.<FortiLink_port_ name>) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN: show system interface qtn.<FortiLink_port_name>

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

Use the following commands to delete a quarantined MAC address:

config switch-controller quarantine config targets delete <MAC_address>

end

When the quarantine feature is disabled, all quarantined MAC addresses are released from quarantine. Use the following commands to disable the quarantine feature:

config switch-controller quarantine set quarantine disable

end

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.