Description
This article describes how to ban a quarantine source IP using the FortiView feature in FortiGate.
Scope
FortiGate.
Solution
To block quarantine IP navigate to FortiView -> Sources.
'Right-click' on the source to ban and select Ban IP:
After selecting Ban IP, specify the duration of the ban:
To view the banned IP on the GUI, navigate to Monitor -> Quarantine Monitor:
In order to ban an IP from CLI, the following command can be used:
diagnose user quarantine ?
list: List user quarantine entries.
add: Add user quarantine entry.
delete: Delete user quarantine entry.
clear : Clear all user quarantine entries.
stat: stat
Below is an example of the syntax for banning an IP and a showcase of the possible options.
Note: From version 7.2 onward, the syntax has changed to 'banned-ip' instead of 'quarantine':
diag user banned-ip
diagnose user quarantine add ?
src4: IPv4 source ban.
src6: IPv6 source ban.
diagnose user quarantine add src4 ?
<src-ipv4> Source IPv4 address.
diagnose user quarantine add src4 172.31.128.4 ?
<expiry> Expiry in seconds.
diagnose user quarantine add src4 172.31.128.4 60 ?
<ban-source> Ban source (admin/dlp/ips/av/dos).
diagnose user quarantine add src4 172.31.128.4 60 admin ?
<Enter> --> no more options are available, press Enter to ban the IP
To unban IP:
diag user quarantine delete src4 <ipv4-address>
To view the quarantined IP in the CLI, run the following command:
diagnose user quarantine list
Note:
The minimum time to remove the quarantine of a host from the list is 3 seconds. After creating an exemption for any host to no longer be quarantined, the list will be empty upon running this command.
