When critical vulnerabilities are detected on the host machine, FortiClient EMS isolates those files and applications in Quarantine Management. However, the Quarantine Management feature is only operational on Windows OS. 

Quarantine Management - FortiClient EMS administration guide.

This feature is only supported for Windows endpoints.

If the intention is to prevent these endpoints (Linux, Windows or Mac) from accessing resources, set up a ZTNA tag and configure a deny firewall policy. Conversely, if the aim is to prevent the vulnerable host from accessing the networks, quarantine the host accordingly. Note that the quarantine feature only works for windows, however.

Quarantining an endpoint from FortiOS using EMS - FortiClient EMS administration guide.

FortiClient (Linux) does not support this feature.

This article will demonstrate the setup of a workaround to quarantine Windows and Linux OSes based on critical vulnerability detection.

Note:

For the quarantine features to function effectively, managed endpoints must have FortiGate as their default gateway. This could be a directly connected interface or endpoints that are connected to a VPN tunnel, provided they have access to FortiClient EMS and FortiOS.

In this example environment, there is an auto-connect SSL-VPN tunnel established and the endpoint is connected to the FortiClient EMS server through the VPN tunnel.

Linux OS.

FortiClient EMS.

FortiGate:

diagnose user device list

hosts

  vd root/0  00:0c:29:f3:d3:4c  gen 11  req 0

    created 417s  gen 9  seen 417s  wan2  gen 3

    ip 10.212.134.200(b)  src forticlient

    host 'ubuntu'  src forticlient

    user 'ubuntu'  src forticlient

    endpoint '9FC50DBE5C704500BA6730F77676C8B7'

Windows OS.

FortiClient EMS.

FortiGate.

diagnose user device list 

hosts

  vd root/0  e0:2b:e9:2d:f3:93  gen 15  req 0

    created 55s  gen 13  seen 55s  wan2  gen 4

    ip 10.212.134.200(b)  src forticlient

    host 'DESKTOP-CC1491A'  src forticlient

    user 'Dell'  src forticlient

    endpoint '04A91D9CDF2745FE975157CF57D04FB6'

Vulnerability scans are performed by EMS endpoint profiles and FortiClient shares all the vulnerability records to FortiClient EMS. Subsequently, FortiClient EMS shares those records with FortiGate via the FortiTelemetry connection.

In FortiGate, vulnerability records logs are stored under Endpoints Event (Log and Report -> System Event -> Endpoints Event). Download the logs to craft the automation stitches.

date=2024-02-14 time=21:23:57 eventtime=1705037037002219460 tz="-0800" logid="0107045071" type="event" subtype="endpoint" level="notice" vd="root" logdesc="FortiClient Vulnerability Scan" fctuid="3DA7882B6A1641BFA6C531B1DF8B3EF7" scantime=1705065851 srcip=10.212.134.200 srcname="DESKTOP-74GOVRE" srcmac="e0-db-55-c3-2b-d6" vulnid=4392 vulnname="Security Vulnerabilities fixed in Adobe Acrobat APSA11-04" vulncat="Applications" severity="Critical" cveid="CVE-2011-2462"vendorurl="https://www.adobe.com/support/security/advisories/apsa11-04.html" msg="Endpoint Vulnerability Scan Entry."

1. Automation Trigger

For automation to trigger, it must meet all of the criteria. In this case, the FortiOS 'Forticlient Vulnerability Scan' Event triggers when a critical severity is detected.

config system automation-trigger

    edit "FortiClient Vulnerability Scan"

        set event-type event-log

        set logid 45071

        config fields

            edit 1

                set name "severity"

                set value "Critical"

            next

        end

    next

end

2. Automation Action.

For an action to quarantine the endpoint, it is necessary to provide a key parameter (srcip) from the key-value pair (srcip=10.212.134.200) of the event logs. After this action, EMS and FortiOS both display that the endpoint is quarantined

config system automation-action

    edit "Quarantine Endpoints"

        set action-type cli-script

        set script "diagnose endpoint fctems queue-complete-calls Q-%%srcip%%"

        set accprofile "super_admin"

    next

end

3. Automation Stitches.

Lastly, set the automation stitches by attaching an automation trigger and an automation action field.

config system automation-stitch

    edit "Automate Quarantine"

        set trigger "FortiClient Vulnerability Scan"

        config actions

            edit 1

                set action "Quarantine Endpoints"

                set required enable

            next

        end

    next

end

4. Results:

View the results under Asset Identity Center and Quarantine Monitor.

Windows OS:

Go to Security Fabric -> Asset Identity Center.

Dashboard -> Quarantine Monitor.

Quarantine Banner:

Similarly, on Linux OS:

Quarantine Banner:

Craft the automation action field depending on event logs and automation trigger setup.