Hello,
when I put a host on quarantine, it has network and internet access. why is that happen?
Hi Reza
Do you have a firewall policy allowing traffic from qtn.root or wqt.someting to internet?
Or do you have a firewall policy allowing traffic from "any" interface to internet?
If you have this then you just need to change it.
No i do not have these policies.
Hello @rezafathi ,
It appears that your firewall policy permits access to the internet from the Quarantine subnet. Please check this technical document for troubleshooting.
regards,
Sheikh
Ip ban works fine but mac ban not working
If these are WiFi hosts than you need to enable Device detection and Quarantine host at SSID level like shown here. If you check after the host get quarantined they will be shown as part of interface wqt.root (not the WiFi SSID) and by default should not exist a policy that allows network access for this interface.
In case of wired hosts the interface of quarantine is part of the FortiLink named "quarantine.fortilink".
Hi Reza
You can debug the flow and see why the quarantined host is allowed internet access.
When a host is in quarantine, run a ping from this host to any public IP (e.g.: 1.1.1.1), and in the meantime run the below commands from FortiGate:
diag debug flow filter addr <quarantined_host_IP>
diag debug flow filter proto 1
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable
Once you have the output please share it and we should find the information.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.