Quarantine / Source IP ban

As of FortiOS 5.2, quarantine was a place where traffic content was held in storage where it couldn’t interact with the network or system. This was removed, but the term quarantine was kept to describe keeping selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.

GUI Changes

As of FortiOS 5.4.1, you quarantine a source address through the GUI. Go to FortiView > Sources. Right-click on the source address you wish to quarantine and select Quarantine Source Address. You can set the duration of the quarantine in days, hours, minutes, or seconds. A User Quarantine ban can be removed in Monitor > User Quarantine Monitor.

CLI Syntax

To configure the AntiVirus security profile to add the source IP address of an infected file to the quarantine or list of banned source IP addresses in the CLI:

config antivirus profile

edit <name of profile>

config nac-quar

set infected quar-src-ip

set expiry 5m



If the quar-src-ip action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP adddress will be blocked. In the CLI the option is called expiry and the duration is in the format <###d##h##m>. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.