| Description | This article describes how to automatically quarantine the endpoints using automation stitches. For example: to automatically quarantine endpoints upon critical vulnerability detection. |
| Scope |
FortiGate, FortiClient EMS and FortiClient. |
| Solution |
When critical vulnerabilities are detected on the host machine, FortiClient EMS isolates those files and applications in Quarantine Management. However, the Quarantine Management feature is only operational on Windows OS. Quarantine Management - FortiClient EMS administration guide. 
This feature is only supported for Windows endpoints. If the intention is to prevent these endpoints (Linux, Windows or Mac) from accessing resources, set up a ZTNA tag and configure a deny firewall policy. Conversely, if the aim is to prevent the vulnerable host from accessing the networks, quarantine the host accordingly. Note that the quarantine feature only works for windows, however. Quarantining an endpoint from FortiOS using EMS - FortiClient EMS administration guide.
FortiClient (Linux) does not support this feature. This article will demonstrate the setup of a workaround to quarantine Windows and Linux OSes based on critical vulnerability detection. Note: For the quarantine features to function effectively, managed endpoints must have FortiGate as their default gateway. This could be a directly connected interface or endpoints that are connected to a VPN tunnel, provided they have access to FortiClient EMS and FortiOS. In this example environment, there is an auto-connect SSL-VPN tunnel established and the endpoint is connected to the FortiClient EMS server through the VPN tunnel.
 Linux OS. FortiClient EMS.  FortiGate: diagnose user device list hosts vd root/0 00:0c:29:f3:d3:4c gen 11 req 0 created 417s gen 9 seen 417s wan2 gen 3 ip 10.212.134.200(b) src forticlient host 'ubuntu' src forticlient user 'ubuntu' src forticlient endpoint '9FC50DBE5C704500BA6730F77676C8B7' Windows OS. FortiClient EMS.  FortiGate. diagnose user device list hosts vd root/0 e0:2b:e9:2d:f3:93 gen 15 req 0 created 55s gen 13 seen 55s wan2 gen 4 ip 10.212.134.200(b) src forticlient host 'DESKTOP-CC1491A' src forticlient user 'Dell' src forticlient endpoint '04A91D9CDF2745FE975157CF57D04FB6' Vulnerability scans are performed by EMS endpoint profiles and FortiClient shares all the vulnerability records to FortiClient EMS. Subsequently, FortiClient EMS shares those records with FortiGate via the FortiTelemetry connection. In FortiGate, vulnerability records logs are stored under Endpoints Event (Log and Report -> System Event -> Endpoints Event). Download the logs to craft the automation stitches. date=2024-02-14 time=21:23:57 eventtime=1705037037002219460 tz="-0800" logid="0107045071" type="event" subtype="endpoint" level="notice" vd="root" logdesc="FortiClient Vulnerability Scan" fctuid="3DA7882B6A1641BFA6C531B1DF8B3EF7" scantime=1705065851 srcip=10.212.134.200 srcname="DESKTOP-74GOVRE" srcmac="e0-db-55-c3-2b-d6" vulnid=4392 vulnname="Security Vulnerabilities fixed in Adobe Acrobat APSA11-04" vulncat="Applications" severity="Critical" cveid="CVE-2011-2462"vendorurl="https://www.adobe.com/support/security/advisories/apsa11-04.html" msg="Endpoint Vulnerability Scan Entry."
For automation to trigger, it must meet all of the criteria. In this case, the FortiOS 'Forticlient Vulnerability Scan' Event triggers when a critical severity is detected.  config system automation-trigger edit "FortiClient Vulnerability Scan" set event-type event-log set logid 45071 config fields edit 1 set name "severity" set value "Critical" next end next end
For an action to quarantine the endpoint, it is necessary to provide a key parameter (srcip) from the key-value pair (srcip=10.212.134.200) of the event logs. After this action, EMS and FortiOS both display that the endpoint is quarantined 
config system automation-action edit "Quarantine Endpoints" set action-type cli-script set script "diagnose endpoint fctems queue-complete-calls Q-%%srcip%%" set accprofile "super_admin" next end
Lastly, set the automation stitches by attaching an automation trigger and an automation action field.  config system automation-stitch edit "Automate Quarantine" set trigger "FortiClient Vulnerability Scan" config actions edit 1 set action "Quarantine Endpoints" set required enable next end next end
View the results under Asset Identity Center and Quarantine Monitor. Windows OS: Go to Security Fabric -> Asset Identity Center.
 Dashboard -> Quarantine Monitor.
Quarantine Banner:
 Similarly, on Linux OS: Quarantine Banner:
Craft the automation action field depending on event logs and automation trigger setup. |
