Description
This article describes when the user cannot access the internet or any local traffic and gets the message 'Blocked because of admin action'.
Scope
FortiGate.
Solution
When accessing the internet user gets the below error as shown in the screenshot:
Above is the Linux machine that has source-ip 192.168.30.5 and in the forward logs on the Fortigate below can be observed which means that the IP is either added to the banned-ip list or is being quarantined:
Reasons that might have caused the machine IP added to the Quarantine list:
A Possible reason could be that the host might be compromised and FortiGate flagged that machine. Another reason could be the policy violation during the specific period and as a result machine is added to quarantine list.
Check this document Quarantine about the types of quarantine modes on FortiOS.
Banned-ip or Quarantined IP can be viewed using the following commands:
diagnose user quarantine list
From v7.2 moving forward, the command to list the banned IPs from the CLI is:
diagnose user banned-ip list
It can also be removed using the following commands:
diagnose user quarantine delete src4 x.x.x.x <----- For 7.0 and under.
diagnose user banned-ip delete src4 x.x.x.x <----- For v7.2 moving forward.
Related article:
Technical Tip: Remove Banned IP
Once it is removed, the user can access the sites:
Note:
Before removing the IP from the banned-IP list or quarantine list, it is recommended to verify that end-device is not being compromised, and removing it without proper care may result in adding the same device to the banned-IP list again.
