I have a problem with the quarantine with the "ip_src_session" of a Dos policy.
The Policy is also set to Block and the log "anomaly" returns the ip that exceed the threshold of 200.
But the IP doesn't go to quarantine...
Obviously I set the quarantine commands via cli.
Commands: set quarantine-attacker and set quarantine-expiry 1d.
Another thing: I have a Dos policy before this that for a specific source address don't do anything.
Is a exception for a specific source IP to understand, but I don't think it matters much.
Anyone can help me?
It seems there may be different answers for this question depending on the FortiGate hardware and FortiOS version. It does not exclude a bug.
But the log that is generated is important (to see the action taken by FG), as well as the quarantine list and anomaly meters:
diag user quarantine list
diag ips anomaly list
I have Fortigate 400E bypass with v 7.0.3.
if I use the command "diag ips anomaly list" I see a series of ip addresses that are not present in the "anomaly" GUI...
The quarantine list is empty.
If i configure the quarantine part for an IPS rule it works....
I think you need to open a support ticket for this (may be a bug?!)
Hi, I understand finally why.
After configure the Dos policy, I disable and re-enable the logging options of "ip_src_session" and the Dos policy correctly ban the ip.
Seems to be a bug...