Skip to main content
rmreddy
Staff
rmreddy
Staff
June 5, 2018

Technical Tip: How to ban or quarantine an IP with FortiView and CLI in FortiGate

  • June 5, 2018
  • 0 replies
  • 91794 views

Description

 

This article describes how to ban a quarantine source IP using the FortiView feature in FortiGate.

 

Scope

 

FortiGate.


Solution

 

To block quarantine IP navigate to FortiView -> Sources.


'Right-click' on the source to ban and select Ban IP:


After selecting Ban IP, specify the duration of the ban:


To view the banned IP on the GUI, navigate to Monitor -> Quarantine Monitor:

 

In order to ban an IP from CLI, the following command can be used:

 

diagnose user quarantine ?
list:      List user quarantine entries.
add:     Add user quarantine entry.
delete: Delete user quarantine entry.
clear :  Clear all user quarantine entries.
stat:    stat

 

Below is an example of the syntax for banning an IP and a showcase of the possible options.

 

diagnose user quarantine add ?
src4: IPv4 source ban.
src6: IPv6 source ban.

 

diagnose user quarantine add src4 ?
<src-ipv4> Source IPv4 address.

 

diagnose user quarantine add src4 172.31.128.4 ?
<expiry> Expiry in seconds.

 

diagnose user quarantine add src4 172.31.128.4 60 ?
<ban-source> Ban source (admin/dlp/ips/av/dos).

 

diagnose user quarantine add src4 172.31.128.4 60 admin ?
<Enter> --> no more options are available, press Enter to ban the IP

 

To unban IP: 

 

diag user quarantine delete src4 <ipv4-address> 


To view the quarantined IP in the CLI, run the following command:

 

diagnose user quarantine list

 

Note: From version 7.2 onward, the syntax has changed to 'banned-ip' instead of 'quarantine':

 

diag user banned-ip ?

 

new syntax.png

 

      diag user banned-ip add ?

 

new syntax3.png

 

   diagnose user banned-ip add src4 172.31.128.4 ?

   diagnose user banned-ip add src4 172.31.128.4 60 ?

   diagnose user banned-ip add src4 172.31.128.4 60 admin ?

 

new syntax2.png

 

 

 

Note:

The minimum time to remove the quarantine of a host from the list is 3 seconds. After creating an exemption for any host to no longer be quarantined, the list will be empty upon running this command.

 

 
banned-ip.png
 
Reasons why an IP address may have been quarantined:
  1. IPS: The IP was banned due to an intrusion prevention system (IPS) signature match.
  2. Anomaly: The IP was banned due to anomalous behavior detected by the system.
  3. Rate-limit: The IP was banned because it exceeded a configured rate limit.
  4. Manual: The IP was manually added to the banned list by an administrator.
  5. Administrative: The IP was banned for administrative reasons, as specified by the system or administrator.
    Terms & ConditionsAccessibility statement