Quarantine and Monitor

Objectives and Overview of LAN Edge Quarantine

• The primary goal is to master the configuration and monitoring of users on FortiOS with FortiManager in the context of LAN Edge 7.6 Architectures.

• Key objectives include:

  • Configuring manual quarantine.

  • Implementing quarantine using Indicator of Compromise (IOC) triggers.

  • Configuring quarantine on FortiSwitch and FortiAP.

  • Exploring dashboard widgets used for managing quarantined devices.

• By achieving these objectives, administrators can effectively isolate compromised or unauthorized devices within a Fortinet environment.

Layer 2 versus Layer 3 Quarantine

• Layer 2 Quarantine Characteristics:

  • Layer: Data Link (Layer 2).

  • Base: Based on MAC address or VLAN assignment.

  • Isolation Type: Uses 802.1X, MAC Authentication Bypass (MAB), Switches, Network Access Control (NAC).

  • Functionality: Involves using switches to isolate noncompliant devices. For example, if a device fails 802.1x or MAB checks, the switch assigns it to a quarantine VLAN. This VLAN may grant access to remediation services (like OS patches or antivirus updates) but prevents broader network access.

• Layer 3 Quarantine Characteristics:

  • Layer: Network (Layer 3).

  • Base: Based on IP address or routing/firewall rules.

  • Isolation Type: Uses Firewalls, routers, Application Firewalls, and Access Control Lists (ACLs).

  • Functionality: Firewalls or routers control IP traffic from noncompliant devices. Devices in a quarantine subnet have traffic restricted to only remediation servers or portals. It ensures the device must pass remediation before accessing other network segments.

• SD-Branch Application: In a Fortinet SD-Branch environment, these methods are not mutually exclusive and are often used together. FortiSwitch may place a device in a quarantine VLAN (Layer 2), while FortiGate firewalls enforce further IP traffic restrictions to specific subnets (Layer 3).

MAC Address Quarantine

• Definition: Quarantined devices are isolated such that they can communicate only with FortiGate. Any other traffic is dropped.

• Communication Types:

  • FortiGate local: The destination is a FortiGate interface. Communication is allowed if FortiGate is configured to allow it (e.g., ping).

  • Intra-VLAN: The destination is a device in the same VLAN. This is blocked automatically by FortiGate because the destination MAC does not match the FortiGate interface.

  • Inter-VLAN: The destination is a device in a different VLAN/network reached through FortiGate. FortiGate blocks this traffic.

• System Process:

  1. FortiGate monitors device activity based on traffic and security logs.

  2. If a rule is triggered or a user intervenes, FortiGate adds the device MAC address to its local quarantine list.

  3. FortiGate applies configuration to FortiSwitch using the FortiSwitch REST API.

  4. FortiSwitch blocks traffic from the quarantined MAC address.

• CLI Enablement (Enabled by default):

  • config user quarantine

  • set quarantine enable

  • end

MAC Address Quarantine Modes

• By VLAN (Default Mode):

  • Traffic from the quarantined device is placed in the quarantine VLAN.

  • Inter-VLAN traffic is automatically blocked if using the default quarantine VLAN (as it has no firewall policies).

  • The device retains an IP address via DHCP (DHCP server is enabled by default on the quarantine VLAN), though obtaining a new one requires a client restart.

• By Redirect:

  • The device is kept in its current VLAN.

  • The device IP address does not change, which facilitates remediation.

  • FortiGate adds the device MAC address to the QuarantinedDevices firewall address group.

  • Requirement: An administrator must manually create a firewall policy to block inter-VLAN traffic from the QuarantinedDevices address group.

• CLI Command to change mode:

  • config switch-controller global

  • set quarantine-mode [by-vlan | by-redirect]

  • end

Quarantine VLAN Interface

• The quarantine VLAN is created when the first switch is discovered by FortiGate, provided config user quarantine is enabled.

• VLAN ID: Assigned $4093$ by default.

• Configuration Details:

  • DHCP Server is enabled to assign IPs to quarantined devices.

  • Access VLAN: Enabled by default on the quarantine VLAN to isolate quarantined devices from each other. Note: This option is visible on the FortiGate GUI but not on the FortiManager GUI.

  • Allowed VLAN: it is part of the allowed VLANs on managed FortiSwitches by default.

  • Captive Portal: Enabled for device remediation and custom messaging.

Manual Quarantine Procedures

• FortiSwitch Ports:

  • Navigate to WiFi & Switch Controller > FortiSwitch Ports.

  • Click the device in the Device Information column and select Quarantine Host.

• WiFi Clients:

  • Navigate to WiFi & Switch Controller > WiFi Clients.

  • Locate the device (details include IP, MAC, device name, and signal strength).

  • Right-click the entry and select Quarantine.

• Dashboard Widget:

  • Use the Clients By FortiAP widget under Dashboard > WiFi.

  • Quarantined hosts are placed in the dedicated quarantine VLAN.

Automatic Quarantine and Security Fabric

• Requirements: FortiGate must be in a Security Fabric group with a FortiAnalyzer device and a valid threat detection services (IOC) license on FortiAnalyzer.

• Indicator of Compromise (IOC): Events or characteristics indicating with high confidence that a device is compromised.

• Available Actions for Compromised Devices:

  • IP ban: Block traffic from the device IP on FortiGate. Intra-VLAN traffic is still allowed.

  • Access-layer quarantine: Inter-VLAN and intra-VLAN traffic from the MAC address is blocked using FortiGate and FortiSwitch.

  • Quarantine FortiClient: All traffic is blocked on the device itself via FortiClient.

  • VMware NSX endpoint: Compromised endpoints are blocked using security tags.

  • FortiNAC quarantine: The PC is quarantined and the MAC address is disabled on the FortiNAC device.

Automation Stitch Workflow

1. A device attempts to access a security risk (e.g., a malicious site).

2. FortiGate blocks the site based on firewall policy/web filter.

3. FortiGate sends a log to FortiAnalyzer.

4. FortiAnalyzer processes the log using IOC services.

5. FortiAnalyzer sends a security risk verdict back to FortiGate.

6. User-defined automation (stitch) quarantines the device.

• Automation Stitch Configuration: Must be created on the root FortiGate. It can be applied to all or specific FortiGates in the Fabric.

• FortiManager Role: Automation stitches are configured on a per-device basis; they cannot be applied globally or through templates because each device may require unique actions.

Integrated Wireless Quarantine

• Compatibility: Currently possible only for tunnel mode SSIDs.

• Requirements: APs and FortiGate must be in the Security Fabric with FortiAnalyzer.

• Automated Resources: Enabling quarantine on an SSID automatically creates:

  • A quarantine soft switch.

  • A quarantine interface/subinterface under the wireless network.

  • A system DHCP server with a range of private IP addresses.

  • A default captive portal.

• Remediation Access: By default, there are no policies to allow internet access. Administrators must manually create policies (typically DNS and specific HTTP/S) to allow the device to download remediation files.

Monitoring and Releasing Quarantined Devices

• Monitoring Widgets:

  • FortiGate GUI: Dashboard > Security > Compromised Hosts by Verdict.

  • FortiAnalyzer GUI: FortiView > Threats > Indicator of Compromise.

  • Quarantine Management: Dashboard > Users & Identities > Quarantine (allows releasing one or all devices).

• Acknowledgement: Clicking Ack on FortiAnalyzer removes the event from both the FortiAnalyzer Compromised Hosts page and the FortiGate dashboard widget.

• CLI Monitoring Commands:

  • To view quarantined IPs (IP ban): diagnose user banned-ip list all

  • To view quarantined MAC addresses: show user quarantine