FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rathan_FTNT
Staff
Staff
Article Id 196765
Description
This article describes how to view and control compromised hosts via the Security Fabric -> Physical Topology or Security Fabric -> Logical Topology view.

Solution
In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution).
The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).





Follow these 3 steps.


To view the compromised endpoint host.

1) Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a 'Web Page Blocked!' warning and does not allow access to the website.

2) In FortiOS on the root FortiGate, go to Security Fabric -> Physical Topology. The endpoint host, connected to the access FortiSwitch, is highlighted in red.
Mouse over the endpoint host to view a tool tip that shows the IoC verdict.
The endpoint host is compromised.


Justify Left


3) Go to Security Fabric -> Logical Topology.
The endpoint host, connected to the downstream FortiGate, is highlighted in red.
Mouse over the endpoint host to view a tool tip that shows the IoC verdict.
The endpoint host is compromised.





To quarantine the compromised endpoint host.

1) In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
2) Select the endpoint host and select Quarantine Host. Select 'OK' to confirm the confirmation dialog.
3) Go to Monitor -> Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
4) On the endpoint host, open a browser and visit a website such as https://www.fortinet.com/. If the website cannot be accessed, this confirms that the endpoint host is quarantined.

To run diagnose commands.

1) To show the downstream FortiGate after it joins the Security Fabric, run the # diagnose sys csf downstream command in the root FortiGate (Edge) CLI.
Edge # diagnose sys csf downstream
1: FG101ETK18-----7 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG201ETK18-----4
path:FG201ETK18-----4:FG101ETK18-----7
data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443
authorizer:FG201ETK18-----4
2) To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the # diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI.
Marketing # diagnose sys csf upstream
Upstream Information:
Serial Number:FG201ETK1-----14
IP:192.168.7.2
Connecting interface:wan1
Connection status:Authorized
3) To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI.
Marketing # show user quarantine.
# config user quarantine
# config targets

    edit "PC2"
        set description "Manually quarantined"
# config macs
    edit 00:0c:29:3d:89:39
        set description "manual-qtn Hostname: PC2"
    next
end
next
end
end


Contributors