FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 301722


This article describes the difference between quarantining wireless and wired compromised devices in a FortiGate using the FortiAnalyzer IoC database.


FortiAnalyzer, FortiGate, FortiSwitch, and FortiAP.


When a device is flagged as compromised, the security fabric can isolate it from the rest of the network, preventing it from spreading malware or causing other damage.


The Fortinet Security Fabric works by sharing threat information and automating responses across all its components, regardless of location. A compromised workstation is detected and isolated using a combination of Indicator of Compromise (IOC) services and quarantine automation.


Here's a breakdown of the events:

  1. A workstation tries to access a malicious website.
  2. FortiGate, a firewall within the Security Fabric, blocks access based on a web filter profile.
  3. FortiGate sends a log to FortiAnalyzer, a security analytics appliance.
  4. FortiAnalyzer analyzes the logs using information from IOC services, which provide real-time threat intelligence.

Details about the FortiAnalyzer IoC database are found here: 

How IOC works

Indicators of Compromise (IOC) Service


  1. FortiAnalyzer determines if the workstation is compromised and sends a verdict back to FortiGate.
  2. A user-defined automation on FortiGate quarantines the compromised workstation, isolating it from the network.

Although it is possible to manually quarantine devices on FortiGate: Quarantine, the IoC database on FortiAnalyzer helps in the automatic quarantine of compromised hosts.


While the quarantine process is similar for wired and wireless clients, there are some key configuration differences to remember for wireless devices.


Here is a summary of the key points:

  • Quarantine is currently only supported for tunnel mode SSIDs.
  • For accurate analysis, the access points (APs), FortiGate firewall, and FortiAnalyzer need to be part of the same Security Fabric.
  • Enabling quarantine on the SSID within FortiGate automatically creates the necessary components, including a captive portal, to isolate compromised devices.
  • Security automation for quarantine only occurs on the FortiGate, not on the access points themselves.
  • Once configured, wireless clients can be automatically quarantined using the same Security Fabric automation as wired clients.
  • Quarantined devices are placed in a separate VLAN and presented with a captive portal explaining their isolation status and potentially providing remediation steps.