FortiSwitch
  • FortiSwitch Terminology
  • FortiLink Architecture
  • Spanning Tree
    • Loop Protection
    • BPDU Guard
    • Root Guard
  • Security Features
    • Storm Control
    • DHCP Snooping
    • IP Source Guard (IPSG)
    • Dynamic ARP inspection (DAI)
    • Loop Guard
    • Quarantine
    • MAC limit
    • 802.1X
  • Advanced Features
    • Access VLANs
    • IGMP Snooping
    • MCLAG
    • Flap Guard
  • Command Cheatsheet
  • Packet Capture
  • QoS
  • Best Practices / Security
  • Monitoring
  • Firmware Upgrade
  • Other Topics
  • Protocols
    • FortiLink
    • LLDP
    • CAPWAP
    • MCLAG Control
    • Other
  • Fortigate Built-In switch
Powered by GitBook
On this page

Was this helpful?

  1. Security Features

Quarantine

PreviousLoop GuardNextMAC limit

Last updated 1 year ago

Was this helpful?

Two Fortigate Quarantine modes are available:

VLAN mode (default):

MAC address is moved into the Quarantine VLAN. The default quarantine VLAN has a DHCP server configured and no firewall policies. Devices in the quarantine network, can communicate to each other, but by default to nowhere else. Technically the Fortigate configures a mac to vlan mapping on the Fortiswitch.

Redirect Mode:

Devices stay in their configured VLAN, but are added to the QuarantinedDevices firewall address group. Block policies must be configured on the firewall to make this useful.

config switch-controller global
   set quarantine-mode by-vlan | by-redirect

Quaranting devices or remove them from the Quarantine, by right-click on the device and select "Quarantine Host":

An overview of all quarantined devices is available as a dashboard: Dashboard -> User & Devices -> Quarantine

FortiSwitch Log entry:

This feature becomes highly effective when combined with FortiAnalyzer automation tasks, allowing for the creation of quarantine actions based on specific Log Events, such as when a port scan is detected.