Description
This article discusses about the Quarantine IP address lost after reboot.
Scope
FortiGate.
Solution
The quarantine user list will be removed after device reboot/shut down because the list is saved in volatile memory.
Source 'ban IP' is kept in the kernel rather than in any specific application engine and can be queried by APIs.
Before reboot or upgrade, if address is showing as quarantine, any quarantine user/IP in the backup configuration file cannot be found.
Monitor list is a log for monitoring and it will not sync over to the secondary firewall hence it will also show same behavior when the device is in HA.
Follow the below steps to Ban quarantine IP with FortiView in FortiGate:
To block quarantine IP, go to FortiView -> Sources and select the source to ban and select Ban IP:
After selecting Ban IP, specify the Ban type.
In this case 'Permanent' has been selected:
To view the banned IP on the GUI, go to Monitor -> Quarantine Monitor:
It is also possible to view the quarantined IP using the CLI:
diagnose user quarantine list
Post reboot or upgrade firmware IP address removed from Quarantine monitor list:
From the CLI:
diagnose user quarantine list
Best Practices:
This is an expected behavior, configure the firewall policy to block instead, if permanent quarantine is required.
This is an expected behavior, configure the firewall policy to block instead, if permanent quarantine is required.
