Thank you thuynh for your reply
In fact, we found that if the device is connected to FortiSwitch or FortiAP
In the LOG record, only quarantine host can be done but not IP banning
If it is not connected to the FortiSwitch or FortiAP device
Banning an IP can be executed by following the steps you described.
Isn't this weird?
I can only look forward to replying to the original FortiView ban IP function as soon as possible.
The FortiSwitch and FortiAP case is intentional as we recommend quarantine MAC (layer 2) over ban-ip (layer 3). However, we can review this behaviour if ban-ip is still desired in this case.
Another workaround you can do is to find the device in the following pages and ban-ip from there
- User & Device dashboard - Device Inventory widget, tooltip action on each entry
- From the above page, you can also right click on the device and find it in FortiView/Log and perform the action there. This can serve as a FortiView search workaround for now.
- WiFi Dashboard - WiFi Client (for device behind FortiAP)
- FortiSwitch client (for device behind FortiSwitch)
- User & Device dashboard - Quarantine widget (all quarantined devices should show here and you can also ban-ip them)