Hi guys, I have traffic going through a fortigate, for the endpoints that violate the policies defined in the security profiles I use the IP block when the event is not remedied. Since the IP is on layer 3 and my Swithces are not Fortinet, whenever the host that is blocked by the IP BAN action changes floor and acquires another one, I get the alerts again, same host and different IP.
What is the best alternative to use to mitigate this scenario?
My Swithes are Cisco
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Try using mac based blocking (Layer 2).
A good solution could be the integration with FortiNAC. You can have full visibility that FortiNAC gives for the network and integrate that with FortiGate via FSSO. FortiNAC supports a large ranges of switches for different vendors including Cisco switches.
Take a look at this integration guide: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/81bd8eff-3eff-11ea-9384-005056...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.