Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor II

Created on ‎04-15-2024 10:27 PM

quarantine hosts

Hello,

 

when I put a host on quarantine, it has network and internet access. why is that happen?

Reza F.
Reza F.
Labels:
238
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎04-16-2024 01:17 AM

Hi Reza

Do you have a firewall policy allowing traffic from qtn.root or wqt.someting to internet?

Or do you have a firewall policy allowing traffic from "any" interface to internet?

If you have this then you just need to change it.

AEK
AEK
208
rezafathi
Contributor II
In response to AEK

Created on ‎04-19-2024 01:56 AM

No i do not have these policies.

Reza F.
Reza F.
155
0 Kudos
Sheikh
Staff
Staff

Created on ‎04-19-2024 02:41 AM

Hello @rezafathi ,

 

It appears that your firewall policy permits access to the internet from the Quarantine subnet. Please check this technical document for troubleshooting.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-ban-or-quarantine-an-IP-with-FortiV...

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
147
0 Kudos
rezafathi
Contributor II
In response to Sheikh

Created on ‎04-19-2024 02:48 AM

Ip ban works fine but mac ban not working

Reza F.
Reza F.
142
0 Kudos
ebilcari
Staff
Staff

Created on ‎04-19-2024 03:33 AM

If these are WiFi hosts than you need to enable Device detection and Quarantine host at SSID level like shown here. If you check after the host get quarantined they will be shown as part of interface wqt.root (not the WiFi SSID) and by default should not exist a policy that allows network access for this interface.

quarantined.png

In case of wired hosts the interface of quarantine is part of the FortiLink named "quarantine.fortilink".

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
129
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-19-2024 04:24 AM

Hi Reza

You can debug the flow and see why the quarantined host is allowed internet access.

When a host is in quarantine, run a ping from this host to any public IP (e.g.: 1.1.1.1), and in the meantime run the below commands from FortiGate:

diag debug flow filter addr <quarantined_host_IP>
diag debug flow filter proto 1
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable

Once you have the output please share it and we should find the information.

AEK
AEK
120
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.