Skip to main content
tnaik
Staff
tnaik
Staff
January 8, 2020

Technical Tip: Quarantine IP address lost after reboot/shutdown/upgrade

  • January 8, 2020
  • 0 replies
  • 26578 views

Description


This article describes the issue when the Quarantine IP address is lost after a reboot.

 

Scope

 

FortiGate.

Solution


The quarantine user list will be removed after device reboot/shutdown because the list is saved in volatile memory.
Source 'ban IP' is kept in the kernel rather than in any specific application engine and can be queried by APIs.

Before reboot or upgrade, if the address is showing as quarantine, any quarantine user/IP in the backup configuration file cannot be found.
The monitor list is a log for monitoring, and it will not sync over to the secondary firewall, it will also show the same behavior when the device is in HA.

Follow the steps to ban quarantine IP with FortiView in FortiGate:

To block quarantine IP, go to FortiView -> Sources and select the source to ban, and select Ban IP:

sources.png
 
After selecting Ban IP, specify the Ban type.
In this case, 'Permanent' has been selected:

 

perm.png

 

To view the banned IP on the GUI, go to Monitor -> Quarantine Monitor:
 
33.png

 

 
It is also possible to view the quarantined IP using the CLI:
 
diagnose user quarantine list
 
 
For modern versions of FortiOS (v7.2 onwards), the syntax changed to:
 
diagnose user banned-ip list
 

banned-ip2.png

 

Post reboot or upgrade firmware, IP address removed from Quarantine monitor list:
 
monit.png
 
From the CLI:
 
diagnose user quarantine list
 
 
For modern versions of FortiOS (v7.2 onwards), the syntax changed to:
 
diagnose user banned-ip list
 
banned-ip.png
 
Best practices:
This is an expected behavior. Configure the firewall policy to block instead, if permanent quarantine is required.
    Terms & ConditionsAccessibility statement