FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This articles explain how to determine what caused an IP address to be quarantined due to DLP (Data Loss Prevention) or content analysis.
Scope
FortiGate, FortiProxy.
Solution
To investigate the quarantined IP, start by checking the DLP logs.
Navigate to the FortiGate GUI.
Go to Log & Report -> Security Events -> Data Loss Prevention.
Review the logs for entries related to the quarantined IP.
Check for actions labeled 'quarantine-ip' and examine the associated details such as file names, URLs, and DLP rules.
Review Anomaly Logs:
Go to Logs and Reports -> Security Events -> Anomaly Logs.
Check for any entries that might indicate why the IP was flagged.
Anomaly logs can provide insights into unusual traffic patterns or behaviors that triggered the quarantine.
Run the following command to list banned IPs and their causes:
diagnose user banned-ip list
Review the configuration of security profiles such as Antivirus, Application Control, and DLP to see if any specific rules or settings might have led to the quarantine.
