I have a problem with the quarantine with the "ip_src_session" of a Dos policy.
The Policy is also set to Block and the log "anomaly" returns the ip that exceed the threshold of 200.
But the IP doesn't go to quarantine...
Obviously I set the quarantine commands via cli.
Commands: set quarantine-attacker and set quarantine-expiry 1d.
Another thing: I have a Dos policy before this that for a specific source address don't do anything.
Is a exception for a specific source IP to understand, but I don't think it matters much.
Anyone can help me?
It seems there may be different answers for this question depending on the FortiGate hardware and FortiOS version. It does not exclude a bug.
But the log that is generated is important (to see the action taken by FG), as well as the quarantine list and anomaly meters:
diag user quarantine list
diag ips anomaly list
I have Fortigate 400E bypass with v 7.0.3.
if I use the command "diag ips anomaly list" I see a series of ip addresses that are not present in the "anomaly" GUI...
The quarantine list is empty.
If i configure the quarantine part for an IPS rule it works....
I think you need to open a support ticket for this (may be a bug?!)
Hi, I understand finally why.
After configure the Dos policy, I disable and re-enable the logging options of "ip_src_session" and the Dos policy correctly ban the ip.
Seems to be a bug...
This worked for meThank you!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.