Technical Tip: How to determine what caused an IP address to be quarantined due to DLP or content analysis

• To investigate the quarantined IP, start by checking the DLP logs.
  • Navigate to the FortiGate GUI.
  • Go to Log & Report -> Security Events -> Data Loss Prevention.
  • Review the logs for entries related to the quarantined IP.
  • Check for actions labeled 'quarantine-ip' and examine the associated details such as file names, URLs, and DLP rules.

• Review Anomaly Logs:
  • Go to Logs and Reports -> Security Events -> Anomaly Logs.
  • Check for any entries that might indicate why the IP was flagged.
  • Anomaly logs can provide insights into unusual traffic patterns or behaviors that triggered the quarantine.

• Run the following command to list banned IPs and their causes:

diagnose user banned-ip list

• Review the configuration of security profiles such as Antivirus, Application Control, and DLP to see if any specific rules or settings might have led to the quarantine.

Related article:

Technical Tip: Configure Data Leak/Loss Prevention (DLP)