user : ban
 
ban
The FortiGate unit compiles a list of all users, IP addresses, or interfaces that have a quarantine/ban rule applied to them. The Banned User list in the FortiGate web-based interface shows all IP addresses and interfaces blocked by NAC (Network Access Control) quarantine, and all IP addresses, authenticated users, senders and interfaces blocked by DLP (Data Leak Prevention). All users or IP addresses on the Banned User list are blocked until they are removed from the list, and all sessions to an interface on the list are blocked until the interface is removed from the list. Each banned user configuration can have an expiry time/date to automatically remove it from the Banned User list, or the user must be removed from the list manually by the system administrator.
 
You cannot configure items in the Banned user list with the CLI, you must use the web-based manager. In the CLI, you can display the list items in the Banned User list using get user ban, and remove items from the list using the following command:
config user ban
delete banid <ban_int>
end
Syntax (view only, cannot be configured)
config user ban
edit banid <ban_int>
set source {dlp‑rule | dlp‑compound | IPS | AV | DoS}
set type {quarantine‑src‑ip | quarantine‑dst‑ip | quarantine‑src‑dst‑ip | quarantine‑intf | dlp‑user | dlp‑ip | dlp‑sender | dlp‑im}
set cause {IPS (Intrusion Protection Sensor) | Antivirus (AV) | Data Leak Prevention (DLP)}
set src-ip-addr <src_ip_addr>
set protocol {smtp | pop3 | imap | http-post | http‑get | ftp-put | ftp‑get | nntp | aim | icq | msn | ym | smtps | pop3s | imaps | https‑post | https_get}
set dst-ip-addr <dst_ip_addr>
set interface <interface_name>
set ip-addr <ip_addr>
set user <user_name>
set sender <sender_name>
set im-type {aim | icq | msn | yahoo}
set im-name <im_name>
set expires <ban_expiry_date>
set created <system_date>
end
end
Variable 
Description 
Default 
banid <ban_int>
Enter the unique ID number of the banned user configuration.
No default.
source {dlp‑rule | dlp‑compound | IPS | AV | DoS}
The source of the ban:
dlp-rule — a DLP rule configured by the system administrator
dlp-compound — a DLP compound rule configured by the system administrator
IPS — FortiGate unit IPS
AV — FortiGate unit AV
DoS — DoS sensor
dlp-rule
type {quarantine‑src‑ip | quarantine‑dst‑ip | quarantine‑src‑dst‑ip | quarantine‑intf | dlp‑user | dlp‑ip | dlp‑sender | dlp‑im}
The type of ban:
quarantine‑src‑ip — Complete quarantine based on source IP address
quarantine-dst-ip — Complete quarantine based on destination IP address
quarantine-src-dst-ip — Block all traffic from source to destination address
quarantine-intf — Block all traffic on the banned interface (port quarantine)
dlp-user — Ban based on user
dlp-ip — Ban based on IP address of user
dlp-sender — Ban based on email sender
dlp-im — Ban based on IM user
quarantine-src-ip
cause {IPS (Intrusion Protection Sensor) | Antivirus (AV) | Data Leak Prevention (DLP)}
FortiGate function that caused ban:
IPS (Intrusion Protection Sensor)
Antivirus (AV) — virus detected
Data Leak Prevention (DLP)
(null)
src-ip-addr <src_ip_addr>
The banned source IP address.
0.0.0.0
protocol {smtp | pop3 | imap | http-post | http‑get | ftp-put | ftp‑get | nntp | aim | icq | msn | ym | smtps | pop3s | imaps | https‑post | https_get}
The protocol used by the user or IP addresses added to the Banned User list.
No default.
dst-ip-addr <dst_ip_addr>
The destination IP address quarantined or banned. This applies to ban types quarantine-dst-ip and quarantine‑src‑dst‑ip.
 
interface <interface_name>
The interface that was quarantined or banned. This applies to ban type quarantine-intf.
null
ip-addr <ip_addr>
The banned IP address (ban type dlp-ip).
0.0.0.0
user <user_name>
The name of the banned user (ban type dlp-user).
null
sender <sender_name>
The name of the banned sender (ban type dlp‑sender).
null
im-type {aim | icq | msn | yahoo}
The type of instant messenger that was banned. This applies to ban type dlp-im:
aim — AOL instant messenger
icq — ICQ
msn — MSN messenger
yahoo — Yahoo! messenger
aim
im-name <im_name>
The name of the banned instant messenger (ban type dlp-im).
null
expires <ban_expiry_date>
Date and Time when the FortiGate unit will lift the ban. Date and time <yyyy/mm/dd hh:mm:ss>. Range from 5 minutes to 365 days or indefinite. If set to indefinite, the ban must be manually removed from the Banned User list.
indefinite
created <system_date>
System-generated time that the ban was created by the system administrator. Format Wed Dec 31 16:00:00 1969.
No default.