FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
kltam
Staff
Staff
Article Id 197450
Description
This article describes how to quarantine endpoint in FortiClient EMS and remove the endpoint from quarantine list.
Quarantined endpoints cannot access the network. Therefore, whenever there is suspicious activity found on an endpoint and the endpoint need to be isolated from the network, the quarantine feature in EMS can be used.


Solution
Here is the step by step guide to Quarantine endpoint in EMS:

1) Locate the endpoint
Go to: Endpoints -> All Endpoints in EMS with search column:



2) Select the endpoint, then go to Action and select ‘Quarantine’, EMS quarantines the endpoint with the next FortiClient Telemetry communication.



3) Verify the result by selecting the endpoint in EMS, the Status of the endpoint changed to ‘Quarantined’


Meanwhile, the FortiClient console on the endpoint will display quarantine message as below:


There are few ways to remove endpoint from quarantined:

1) Unquaratine the endpoint in EMS
Select the quarantined endpoint, then go to Action and select ‘Unquarantine’



2) Unquaratine the endpoint from FortiClient
Get the Quarantine Access Code from EMS under Quarantined Endpoint Status:




Insert the Quarantine Access Code in quarantined endpoint FortiClient console, then remove the endpoint from quarantine by selecting ‘Unquarantine’:
Note: The Quarantine Access Code is a “one-time access code” and will change for next quarantine.





Result:
Endpoint status in EMS revert to Registered and there is no Quarantine message display on FortiClient console.


Under some circumstances, if user unable to remove the endpoint from quarantined, here are some troubleshooting and verification steps:

1) Check the connection between EMS and endpoint, ensure the endpoint is in network which reachable to EMS server for Telemetry communication.

2) Make sure the Quarantine Access Code input correctly



Contributors