Description
This article discusses about the Quarantine IP address lost after reboot.
Scope
FortiGate.
Solution
The quarantine user list will be removed after device reboot/shut down because the list is saved in volatile memory.
Source 'ban IP' is kept in the kernel rather than in any specific application engine and can be queried by APIs.
Before reboot or upgrade, if address is showing as quarantine, any quarantine user/IP in the backup configuration file cannot be found.
Monitor list is a log for monitoring and it will not sync over to the secondary firewall hence it will also show same behavior when the device is in HA.
Follow the below steps to Ban quarantine IP with FortiView in FortiGate:
To block quarantine IP, go to FortiView -> Sources and select the source to ban and select Ban IP:
diagnose user quarantine list
This is an expected behavior, configure the firewall policy to block instead, if permanent quarantine is required.