Create an automation stitch: login to GUI -> Security fabric > Automation.

Select Create New -> Provide the Name. Select Add trigger and select Compromised Host.

Select Add Action, then Create New, and select the IP Ban.

Add one more action as an email, to get a notification when there is a hit for the ban IP.

The CLI configuration:

config system automation-stitch
    edit "Ban-IP"
        set trigger "Compromised Host - High"
            config actions
                edit 1
                    set action "email"
                    set required enable
                next
                edit 2
                    set action "ip-ban"
                    set required enable
                next
            end
    next
end

If there are any hits in the Ban-IP automation, it will notify it and FortiGate will move that IP to the quarantine list.

It is possible to check the compromised host list and quarantine list from the dashboard.

To view the Banned-IP over the CLI please use the below command:

diagnose user banned-ip list

Note:

To view the compromised host, the FortiAnalyzer is required.

Related article:

Technical Tip: How to check why automation stitch is not working as expected

Technical Tip: How to Ban IP using event handler + automation stitch