Configuring quarantining on SSID
This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:
l The quarantine function only works with SSID tunnel mode. l The quarantine function is independent of SSID security mode.
The following shows a simple network topology for this recipe:
To quarantine a wireless client on the FortiOS GUI:
- In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
- Edit the SSID:
- Go to WiFi & Switch Controller > SSID, and select the desired SSID.
- Enable Device Detection.
- Enable Quarantine Host.
- Click OK.
- Quarantine a wireless client:
- Do one of the following:
- Go to Security Fabric > Physical Topology. View the topology by access device.
- Go to FortiView > Traffic from LAN/DMZ > Source.
- Do one of the following:
- Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
- Right-click the wireless client, then click Quarantine Host.
To quarantine a wireless client using the FortiOS CLI:
- Under global quarantine settings, enable quarantine:
config user quarantine set quarantine enable
end
- Under virtual access point (VAP) settings, enable quarantine:
config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set quarantine enable
next
end
- Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:
config user quarantine config targets edit “DESKTOP-Surface” config macs edit b4:ae:2b:cb:d1:72 set description “Surface”
next
end
next
end
end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!