Fortinet Community

DanieleS99 · ‎03-15-2022

Hi,

I have a problem with the quarantine with the "ip_src_session" of a Dos policy.

The Policy is also set to Block and the log "anomaly" returns the ip that exceed the threshold of 200.

But the IP doesn't go to quarantine...

Obviously I set the quarantine commands via cli.

Commands: set quarantine-attacker and set quarantine-expiry 1d.

Another thing: I have a Dos policy before this that for a specific source address don't do anything.

Is a exception for a specific source IP to understand, but I don't think it matters much.

Anyone can help me?

AlexC-FTNT · ‎03-16-2022

It seems there may be different answers for this question depending on the FortiGate hardware and FortiOS version. It does not exclude a bug.

But the log that is generated is important (to see the action taken by FG), as well as the quarantine list and anomaly meters:

diag user quarantine list

diag ips anomaly list

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

DanieleS99 · ‎03-16-2022

I have Fortigate 400E bypass with v 7.0.3.

if I use the command "diag ips anomaly list" I see a series of ip addresses that are not present in the "anomaly" GUI...

The quarantine list is empty.

If i configure the quarantine part for an IPS rule it works....

AlexC-FTNT · ‎03-17-2022

I think you need to open a support ticket for this (may be a bug?!)

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

DanieleS99 · ‎03-23-2022

Hi, I understand finally why.

After configure the Dos policy, I disable and re-enable the logging options of "ip_src_session" and the Dos policy correctly ban the ip.

Seems to be a bug...

Thanks

Quarantine on Dos Policy doesn't work