Description
This article describes how to quarantine and unquarantine FortiClient host machines using FortiGate.
For pre-requisites, refer to the related articles section.
Scope
FortiEMS and FortiGate.
Solution
To quarantine a managed FortiClient via FortiGate:
diagnose endpoint fctems queue-complete-calls Q-X.X.X.X <- Where X.X.X.X is the IP address of the FortiClient host machine.
To un-quarantine a managed FortiClient via FortiGate:
diagnose endpoint fctems queue-complete-calls U-X.X.X.X <- Where X.X.X.X is the IP address of the FortiClient host machine.
Accepted Syntax:
diagnose endpoint fctems queue-complete-calls
Pass a single argument with the format of <call>[,<call>[,<call>[,...]]].
Each <call> is in the following format: <CallType>-<IPv4>.
Valid examples:
Q-172.16.40.67,U-172.16.40.169
Q-172.16.41.78
Invalid examples:
Q-ab:cd:ef:12:34:56 (No <IPv4>)
q-172.16.40.67 (Invalid <CallType>)
On Multi-VDOM,
diagnose endpoint fctems queue-complete-calls
Pass a single argument with the format of <call>[,<call>[,<call>[,...]]].
Each <call> is in the following format: <CallType>-<IPv4>-<vfid>.
Valid examples:
Q-172.16.40.67-0
Q-172.16.41.78-0,U-2-172.16.40.25-2
Invalid examples:
Q-ab:cd:ef:12:34:56 (No <IPv4> and <vfid>)
Q-172.16.40.67-root (not a valid vfid <vfid>)
q-172.16.40.67-0 (Invalid <CallType>)
Results:
diagnose endpoint fctems queue-complete-calls Q-10.115.2.52
SUCCESS! Queued the <call> 'Q-10.115.2.52'.
<call> stats: total=1, valid=1, queued=1.
It is important to note that for the quarantine and un-quarantine features to function effectively, managed endpoints must have FortiGate as their default gateway. This could be a directly connected interface or endpoints that are connected to a VPN tunnel, provided they have access to FortiClient EMS and FortiOS.
Below is the debug output for the endpoint where FortiGate is not configured as the default gateway.
diagnose endpoint fctems queue-complete-calls Q-10.115.2.52
SUCCESS! Queued the <call> 'Q-10.115.2.52'.
<call> stats: total=1, valid=1, queued=1.
diagnose debug app fcnacd -1
diagnose debug enable
[_renew_resolver:219] called.
[ec_daemon_submit_quar_client_act:59] Could not find record of client 10.115.2.52 at vfid 0
[ec_ez_worker_base_prep_resolver:372] Outgoing interface index 0 for 2 (EMS-Server).
It is possible to leverage such features for on-fabric (on-premises) and off-fabric (off-premises) managed FortiClients. For on-fabric endpoints, there is a directly connected interface. For the off-fabric endpoints, an auto-connect VPN tunnel can be established.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.