Fortinet Gate 60D - Configuring NAC Quarantine; The Banned User List

To Next Page

To Previous Page

NAC quarantine and the Banned User list User

FortiGate Version 4.0 Administration Guide

596 01-400-89802-20090424

http://docs.fortinet.com/ • Feedback

When an interface is blocked by NAC quarantine or a DLP sensor with action set to

Quarantine Interface, any user attempting to start an HTTP session through this interface

using TCP port 80 will also be connected by the FortiGate unit to one of the four NAC

quarantine web pages.

The DLP Ban and Ban Sender options also send messages to blocked users. For more

information, see “Adding or editing a rule in a DLP sensor” on page 513.

Configuring NAC quarantine

You can configure NAC quarantine for antivirus protection in a protection profile and for

IPS sensors and DoS sensors:

• To configure NAC quarantine for antivirus protection, go to Firewall > Protection

Profile. Add or edit a protection profile and configure Anti-Virus. Enable Quarantine

Virus Sender (to Banned Users List), select a Method, and configure Expires. For more

information, see “Anti-Virus options” on page 407.

• To configure NAC quarantine for an IPS sensor, go to UTM > Intrusion Protection >

IPS Sensor. Add or edit an IPS sensor. To add NAC quarantine to a filter, select Add

Filter, enable Quarantine Attackers (to Banned Users List) select a Method, and

configure Expires. You can also add NAC quarantine to pre-defined and custom

overrides in an IPS sensor. For more information, see “Configuring filters” on page 464

and “Configuring pre-defined and custom overrides” on page 465.

• To configure NAC quarantine for a DoS sensor, you create or edit a DoS sensor and

from the CLI configure NAC quarantine for one or more of the 12 anomaly types. To

configure NAC quarantine for an anomaly, you set quarantine to attacker to block

the attacker, both to block both the attacker and the target, or interface to block the

interface that received the attack.

You can add the DoS sensor from the web-based manager or the CLI but you can only

configure NAC quarantine from the CLI. The following example shows how to edit a

DoS sensor named QDoS_sensor, set quarantine to attacker for the

udp_dst_session and set the quarantine expiry time to 30 minutes. The example

also shows how to set quarantine to both for the icmp_flood anomaly:

config ips DoS

edit QDoS_sensor

config anomaly

edit udp_dst_session

set quarantine attacker

set quarantine-expiry 30

edit icmp_flood

set quarantine both

end

For more information, see the FortiGate CLI Reference.

The Banned User list

The Banned User list shows all IP addresses and interfaces blocked by NAC quarantine.

The list also shows all IP addresses, authenticated users, senders, and interfaces blocked

by Data Leak Prevention (DLP). The system administrator can selectively release users or

interfaces from quarantine or configure quarantine to expire after a selected time period.

Main Page

Fortinet Gate 60D - Configuring NAC Quarantine; The Banned User List

Table of Contents