Technical Tip: How to list or remove a banned IP from the list on a FortiGate
Description
This article describes how to list/remove a banned IP from the list on a FortiGate.
Scope
Reasons why an IP address may have been quarantined:
- IPS: The IP was banned due to an intrusion prevention system (IPS) signature match.
- Anomaly: The IP was banned due to anomalous behavior detected by the system.
- Rate-limit: The IP was banned because it exceeded a configured rate limit.
- Manual: The IP was manually added to the banned list by an administrator.
- Administrative: The IP was banned for administrative reasons, as specified by the system or administrator.
All sessions started by users or IP addresses on the Banned User list are blocked until the user or IP address is removed from the list or reaches its expiry.
Viewing the Banned User List:
In v5.2 and later, the following command is used:
FGT# diagnose firewall ip_host list
On v7.0 and v6.0 following command is used:
FGT# diagnose user quarantine list
From v7.2 moving forward, the command to list the banned IPs from the CLI is as follows:
FGT# diagnose user banned-ip list
The example output looks like this:
FGT# diagnose user banned-ip list
src-ip-addr created expires cause
192.168.3.110 Wed Mar 4 15:22:24 2025 Wed Mar 4 15:24:24 2015 DLP
192.168.3.111 Wed Mar 4 15:23:23 2025 Wed Mar 4 16:23:23 2015 IPS
Explanation of each field:
- src-ip-addr: The IP address of the quarantined user.
- created: The time that the IP address was added to the list.
- expires: Shows the time that the entry will expire and be removed from the list.
- cause: The reason that this IP address was added to the Banned User list.
Related options:
- Add/delete an entry:
To add an entry, see this article: Technical Tip: How to ban or quarantine an IP with FortiView and CLI in FortiGate.
To delete an entry, see this one: Technical Tip: Remove Banned IP.
- Show statistics.
To view the number of entries in the list:
FGT# diagnose user banned-ip stat
iph_size=2
- Clear the list.
Run the following command to clear the whole list:
FGT# diagnose user banned-ip clear
IP ban using security profiles:
Configure an antivirus profile:
FGT# config antivirus profile
edit <name>
config nac-quar
set infected quar-src-ip
set expiry <duration>
end
View the banned IP address:
FGT# diagnose user banned-ip list
src-ip-addr created expires cause
172.16.200.55 Wed Jan 17 13:06:05 2024 Wed Jan 17 13:08:05 2024 AV
Configure the application control profile:
FGT# config application list
edit <name>
config entries
edit <id>
set quarantine attacker
set quarantine-expiry <duration>
next
end
next
end
View the banned IP address:
FGT# diagnose user banned-ip list
src-ip-addr created expires cause 172.16.200.55 Thu Jan 18 07:17:13 2024 Thu Jan 18 07:22:13 2024 APP
Configure the DLP profile:
FGT# config dlp profile
edit <name>
config rule
edit <id>
set proto <protocols>
set action quarantine-ip
set expiry <duration>
next
end
next
end
View the banned IP address:
FGT# diagnose user banned-ip list
src-ip-addr created expires cause 172.16.200.55 Thu Jan 18 07:03:03 2024 Thu Jan 18 07:05:03 2024 DLP
Configure the IPS profile:
FGT# config ips sensor
edit <name>
config entries
edit <id>
set quarantine attacker
set quarantine-expiry <duration>
next
end
end
View the banned IP address:
FGT## diagnose user banned-ip list
src-ip-addr created expires cause
172.16.200.55 Thu Jan 18 06:42:06 2024 Thu Jan 18 06:44:06 2024 IPS
A single entry can be removed directly from the CLI using;
FGT#diagnose user banned-ip delete src4 <IPv4> (or ... delete src6 <IPv6>).
After a reboot/power-cycle, the banned list may not be retained unless persistency is configured under:
FGT# config firewall global
FGT# set banned-ip-persistency {disabled|permanent-only|all}
Related article: