Description

This article describes how to list/remove a banned IP from the list on a FortiGate.

Scope

Reasons why an IP address may have been quarantined:

• IPS: The IP was banned due to an intrusion prevention system (IPS) signature match.
• Anomaly: The IP was banned due to anomalous behavior detected by the system.
• Rate-limit: The IP was banned because it exceeded a configured rate limit.
• Manual: The IP was manually added to the banned list by an administrator.
• Administrative: The IP was banned for administrative reasons, as specified by the system or administrator.
  
  

All sessions started by users or IP addresses on the Banned User list are blocked until the user or IP address is removed from the list or reaches it's expiry.

Viewing the Banned User List:
In v5.2 and later, the following command is used:

FGT# diagnose firewall ip_host list

On v7.0 and v6.0 following command is used:

FGT# diagnose user quarantine list

From v7.2 moving forward, the command to list the banned IPs from the CLI is as follows:

FGT# diagnose user banned-ip list

The example output looks like this:

FGT# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
192.168.3.110     Wed Mar  4 15:22:24 2025 Wed Mar  4 15:24:24 2015 DLP
192.168.3.111     Wed Mar  4 15:23:23 2025 Wed Mar  4 16:23:23 2015 IPS      

Explanation of each field:

• src-ip-addr: The IP address of the quarantined user.
• created: The time that the IP address was added to the list.
• expires: Shows the time that the entry will be expired and removed from the list.
• cause: The reason that this IP address was added to the Banned User list.

Related options:

1. Add/delete an entry:

In order to add an entry, see Technical Tip: How to ban or quarantine an IP with FortiView and CLI in FortiGate.
To delete an entry, see Technical Tip: Remove Banned IP.

2. Show statistics.

To view the number of entries in the list:

FGT# diagnose user banned-ip stat
iph_size=2

3. Clear the list.

Run the following command to clear the whole list:

FGT# diagnose user banned-ip clear

IP ban using security profiles:

Configure an antivirus profile:

FGT# config antivirus profile
    edit <name>
        config nac-quar
            set infected quar-src-ip
            set expiry <duration>
        end

View the banned IP address:

FGT# diagnose user banned-ip list   
src-ip-addr         created                     expires                  cause
172.16.200.55    Wed Jan 17 13:06:05 2024    Wed Jan 17 13:08:05 2024      AV

Configure the application control profile:

FGT# config application list
          edit <name>
               config entries
                   edit <id>
                        set quarantine attacker
                        set quarantine-expiry <duration>
                   next
               end
          next
     end

View the banned IP address:

FGT# diagnose user banned-ip list
src-ip-addr created expires cause 172.16.200.55 Thu Jan 18 07:17:13 2024 Thu Jan 18 07:22:13 2024 APP

Configure the DLP profile:

FGT# config dlp profile
         edit <name>
               config rule
                     edit <id>
                          set proto <protocols>
                          set action quarantine-ip
                          set expiry <duration>
                     next
               end
         next
     end

View the banned IP address:

FGT# diagnose user banned-ip list
src-ip-addr created expires cause 172.16.200.55 Thu Jan 18 07:03:03 2024 Thu Jan 18 07:05:03 2024 DLP

Configure the IPS profile:

FGT# config ips sensor

    edit <name>

        config entries

            edit <id>
                set quarantine attacker

                set quarantine-expiry <duration> 

            next

        end

    end

View the banned IP address:

FGT## diagnose user banned-ip list
src-ip-addr created expires cause
172.16.200.55 Thu Jan 18 06:42:06 2024 Thu Jan 18 06:44:06 2024 IPS

Related article:

Technical Tip: Viewing Banned User List using the CLI