user : ban
The FortiGate unit compiles a list of all users, IP addresses, or interfaces that have a quarantine/ban rule applied to them. The Banned User list in the FortiGate web-based interface shows all IP addresses and interfaces blocked by NAC (Network Access Control) quarantine, and all IP addresses, authenticated users, senders and interfaces blocked by DLP (Data Leak Prevention). All users or IP addresses on the Banned User list are blocked until they are removed from the list, and all sessions to an interface on the list are blocked until the interface is removed from the list. Each banned user configuration can have an expiry time/date to automatically remove it from the Banned User list, or the user must be removed from the list manually by the system administrator.
You cannot configure items in the Banned user list with the CLI, you must use the web-based manager. In the CLI, you can display the list items in the Banned User list using get user ban, and remove items from the list using the following command:
config user ban
delete banid <ban_int>
Syntax (view only, cannot be configured)
config user ban
edit banid <ban_int>
set source {dlp‑rule | dlp‑compound | IPS | AV | DoS}
set type {quarantine‑src‑ip | quarantine‑dst‑ip | quarantine‑src‑dst‑ip | quarantine‑intf | dlp‑user | dlp‑ip | dlp‑sender | dlp‑im}
set cause {IPS (Intrusion Protection Sensor) | Antivirus (AV) | Data Leak Prevention (DLP)}
set src-ip-addr <src_ip_addr>
set protocol {smtp | pop3 | imap | http-post | http‑get | ftp-put | ftp‑get | nntp | aim | icq | msn | ym | smtps | pop3s | imaps | https‑post | https_get}
set dst-ip-addr <dst_ip_addr>
set interface <interface_name>
set ip-addr <ip_addr>
set user <user_name>
set sender <sender_name>
set im-type {aim | icq | msn | yahoo}
set im-name <im_name>
set expires <ban_expiry_date>
set created <system_date>
banid <ban_int>
Enter the unique ID number of the banned user configuration.
No default.
source {dlp‑rule | dlp‑compound | IPS | AV | DoS}
The source of the ban:
dlp-rule — a DLP rule configured by the system administrator
dlp-compound — a DLP compound rule configured by the system administrator
IPS — FortiGate unit IPS
AV — FortiGate unit AV
DoS — DoS sensor
type {quarantine‑src‑ip | quarantine‑dst‑ip | quarantine‑src‑dst‑ip | quarantine‑intf | dlp‑user | dlp‑ip | dlp‑sender | dlp‑im}
The type of ban:
quarantine‑src‑ip — Complete quarantine based on source IP address
quarantine-dst-ip — Complete quarantine based on destination IP address
quarantine-src-dst-ip — Block all traffic from source to destination address
quarantine-intf — Block all traffic on the banned interface (port quarantine)
dlp-user — Ban based on user
dlp-ip — Ban based on IP address of user
dlp-sender — Ban based on email sender
dlp-im — Ban based on IM user
cause {IPS (Intrusion Protection Sensor) | Antivirus (AV) | Data Leak Prevention (DLP)}
FortiGate function that caused ban:
IPS (Intrusion Protection Sensor)
Antivirus (AV) — virus detected
Data Leak Prevention (DLP)
src-ip-addr <src_ip_addr>
The banned source IP address.
protocol {smtp | pop3 | imap | http-post | http‑get | ftp-put | ftp‑get | nntp | aim | icq | msn | ym | smtps | pop3s | imaps | https‑post | https_get}
The protocol used by the user or IP addresses added to the Banned User list.
No default.
dst-ip-addr <dst_ip_addr>
The destination IP address quarantined or banned. This applies to ban types quarantine-dst-ip and quarantine‑src‑dst‑ip.
interface <interface_name>
The interface that was quarantined or banned. This applies to ban type quarantine-intf.
ip-addr <ip_addr>
The banned IP address (ban type dlp-ip).
user <user_name>
The name of the banned user (ban type dlp-user).
sender <sender_name>
The name of the banned sender (ban type dlp‑sender).
im-type {aim | icq | msn | yahoo}
The type of instant messenger that was banned. This applies to ban type dlp-im:
aim — AOL instant messenger
icq — ICQ
msn — MSN messenger
yahoo — Yahoo! messenger
im-name <im_name>
The name of the banned instant messenger (ban type dlp-im).
expires <ban_expiry_date>
Date and Time when the FortiGate unit will lift the ban. Date and time <yyyy/mm/dd hh:mm:ss>. Range from 5 minutes to 365 days or indefinite. If set to indefinite, the ban must be manually removed from the Banned User list.
created <system_date>
System-generated time that the ban was created by the system administrator. Format Wed Dec 31 16:00:00 1969.
No default.