Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanieleS99
New Contributor III

Quarantine on Dos Policy doesn't work

Hi,

I have a problem with the quarantine with the "ip_src_session" of a Dos policy.

The Policy is also set to Block and the log "anomaly" returns the ip that exceed the threshold of 200.

But the IP doesn't go to quarantine...

Obviously I set the quarantine commands via cli.

Commands: set quarantine-attacker and set quarantine-expiry 1d.

Another thing: I have a Dos policy before this that for a specific source address don't do anything.

Is a exception for a specific source IP to understand, but I don't think it matters much.

Anyone can help me?

4 REPLIES 4
AlexC-FTNT
Staff
Staff

It seems there may be different answers for this question depending on the FortiGate hardware and FortiOS version. It does not exclude  a bug. 

But the log that is generated is important (to see the action taken by FG), as well as the quarantine list and anomaly meters:

diag user quarantine list

diag ips anomaly list


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
DanieleS99

I have Fortigate 400E bypass with v 7.0.3.

if I use the command "diag ips anomaly list" I see a series of ip addresses that are not present in the "anomaly" GUI...

The quarantine list is empty.

If i configure the quarantine part for an IPS rule it works....

AlexC-FTNT
Staff
Staff

I think you need to open a support ticket for this (may be a bug?!)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
DanieleS99

Hi, I understand finally why.

After configure the Dos policy, I disable and re-enable the logging options of "ip_src_session" and the Dos policy correctly ban the ip.

Seems to be a bug...

 

Thanks