|
A different source IP may be banned without any quarantine feature enabled.
The admin may observe a log with duration=0:
date=2025-03-18 time=12:41:27 devname="fortiproxyCC" devid="XXX" eventtime=1742312487710926992 tz="-0300" logid="0100043776" type="event" subtype="system" level="notice" vd="root" logdesc="NAC quarantine" srcip=10.199.35.119 dstip=142.251.133.238 src_int="vlan30" dst_int="vlan80" srcport=52319 dstport=443 proto=6 service="https" action="ban-ip" user="F59225" group="InternetRedesCompartirArchivos" policyid=78 banned_src="dlp" banned_rule="ControlEjecutables" profile="ControlEjecutables" duration=0 msg="An automatic ban was created"
The admin can collect the output of the following commands to get additional information:
diagnose sys scanunit stats
diagnose wad stats worker
diagnose wad worker filter list
In the configuration, no action in the rules is set to 'Quarantine'.
config dlp profile
edit "ControlEjecutables"
config rule
edit 2
set name "ExcepcionesEjecutables"
set severity high
set proto http-get http-post ftp
set file-type 6
set action log-only
next
edit 3
set name "BloqueoEjecutables"
set severity high
set proto http-get http-post ftp
set file-type 3
set action block
next
end
set nac-quar-log enable
next
end
The issue could be related to known bug 1111368, which has been resolved in version 7.4.9.
If the issue is encountered in version 7.4.9, open a TAC ticket for further analysis.
|
