Nac Quarantine And Dlp Replacement Messages; Configuring Nac Quarantine - Fortinet FortiGate Series Administration Manual

User

NAC quarantine and DLP replacement messages

Configuring NAC quarantine

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
SMTP email message, you can configure DLP to block all SMTP email from a sender
identified in the "From:" field of the email messages, without blocking the user from web
browsing. DLP will also add the sender's name to the Banned User list. For more
information about using actions in DLP sensors, see
compound rule in a DLP sensor" on page
A user who is blocked by NAC quarantine or a DLP sensor with action set to Quarantine
IP address will typically attempt to start an HTTP session through the FortiGate unit using
TCP port 80. When this happens, the FortiGate unit connects the user to one of four NAC
quarantine web pages displaying messages that access has been blocked. You can
customize these web pages by going to System > Config > Replacement Message and
editing the NAC Quarantine replacement messages. For more information, see
quarantine replacement messages" on page
When an interface is blocked by NAC quarantine or a DLP sensor with action set to
Quarantine Interface, any user attempting to start an HTTP session through this interface
using TCP port 80 will also be connected by the FortiGate unit to one of the four NAC
quarantine web pages.
The DLP Ban and Ban Sender options also send messages to blocked users. For more
information, see "Adding or editing a rule or compound rule in a DLP sensor" on page
You can configure NAC quarantine for antivirus protection in a protection profile and for
IPS sensors and DoS sensors:
• To configure NAC quarantine for antivirus protection, go to Firewall > Protection
Profile. Add or edit a protection profile and configure Anti-Virus. Enable Quarantine
Virus Sender (to Banned Users List), select a Method, and configure Expires. For more
information, see "Anti-Virus options" on page
• To configure NAC quarantine for an IPS sensor, go to UTM > Intrusion Protection >
IPS Sensor. Add or edit an IPS sensor. To add NAC quarantine to a filter, select Add
Filter, enable Quarantine Attackers (to Banned Users List) select a Method, and
configure Expires. You can also add NAC quarantine to pre-defined and custom
overrides in an IPS sensor. For more information, see
and "Configuring pre-defined and custom overrides" on page
• To configure NAC quarantine for a DoS sensor, you create or edit a DoS sensor and
from the CLI configure NAC quarantine for one or more of the 12 anomaly types. To
configure NAC quarantine for an anomaly, you set quarantine to attacker to block
the attacker, both to block both the attacker and the target, or interface to block the
interface that received the attack.
You can add the DoS sensor from the web-based manager or the CLI but you can only
configure NAC quarantine from the CLI. The following example shows how to edit a
DoS sensor named QDoS_sensor, set quarantine to attacker for the
udp_dst_session and set the quarantine expiry time to 30 minutes. The example
also shows how to set quarantine to both for the icmp_flood anomaly:
config ips DoS
edit QDoS_sensor
config anomaly
edit udp_dst_session
set quarantine attacker
set quarantine-expiry 30
next
NAC quarantine and the Banned User list
"Adding or editing a rule or
585.
261.
489.
"Configuring filters" on page 540
541.
"NAC
585.
679