Quarantine / Source IP ban
Starting in FortiOS 5.2, the quarantine, as a place where traffic content was held in storage where it couldn’t interact with the network or system was removed, but the term quarantine was kept to describe keeping selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.
To configure the antivirus profile to add the source IP address of an infected file to the quarantine or list of banned source IP addresses edit the Antivirus profile, in the CLI. as follows:
config antivirus profile
edit <name of profile>
config nac-quar
set infected quar-src-ip
set expiry 5m
end
If the quar-src-ip
action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP adddress will be blocked. In the CLI the option is called expiry
and the duration is in the format <###d##h##m>
. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.