Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Created on ‎01-11-2024 10:55 AM

Fortinac Check Dns

Hello, how can I quarantine the user's DNS address in fortinac if it is an address other than the DNS address I specified?

Labels:
642
0 Kudos
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎01-11-2024 11:34 AM Edited on ‎01-11-2024 11:36 AM

Hello

I'm not sure to understand what you mean by user's DNS,

but here is how you can quarantine a USER:

  • Go to menu Users & Hosts > Hosts
  • Right-click on the user(s)
  • Click the Disable Users sub menu

On the other hand you can quarantine a HOST this way:

  • Users & Hosts > Hosts
  • Right-click the host(s)
  • Click the Disable sub-menu

Once you do that, the disabled host should go to dead-end/isolation, and any host that the user logs-on will go to dead-end/isolation.

AEK
AEK
573
rcpdkc
Contributor II
In response to AEK

Created on ‎01-11-2024 01:12 PM

 When Windows changes the DNS manually and this DNS address is not the one I specified 

 

559
0 Kudos
ndumaj
Staff
Staff

Created on ‎01-12-2024 12:51 AM

Hello,

well it depends, you can also manually disable that host via host view list or what I can suggest is to use Persistent agent and add custom scan for domain joined users.
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/156414/endpoint-compliance

BR

- Happy to help, hit like and accept the solution -
542
ebilcari
Staff
Staff

Created on ‎01-19-2024 07:38 AM

If I understood this correctly, you want to disable port/host in case it uses a DNS other than specified. Since this is not a static configuration value (checked via registry, processes) it can't be identified by the agent scans. It's better to use the Firewall to report this behavior as an incident and than map it to an Action in FNAC to disable the host or mark it as at risk.

 

sec incidents.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
483
rcpdkc
Contributor II
In response to ebilcari

Created on ‎01-19-2024 10:18 AM

I tried to check with registry but can't because it matches another value

464
0 Kudos
AEK
SuperUser
SuperUser
In response to rcpdkc

Created on ‎01-19-2024 10:46 AM Edited on ‎01-19-2024 10:46 AM

I fully agree with @ebilcari , the solution is to detect the traffic at firewall level and to send the event to NAC so it isolates the client.

AEK
AEK
460
rcpdkc
Contributor II
In response to AEK

Created on ‎01-19-2024 12:44 PM

I don't quite understand how to do this

451
0 Kudos
ebilcari
Staff
Staff
In response to rcpdkc

Created on ‎01-22-2024 01:45 AM

You can check this video on Fortinet Video Library for more details.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
361
rcpdkc
Contributor II
In response to ebilcari

Created on ‎01-24-2024 02:05 PM

I don't have this menu, is it licence related?

321
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.