Description
This article describes how to quarantine and unquarantine FortiClient host machines using FortiGate.
For pre-requisites, refer to the related articles section.
Scope
FortiEMS and FortiGate.
Solution
To quarantine a managed FortiClient via FortiGate:
diagnose endpoint fctems queue-complete-calls Q-X.X.X.X <- Where X.X.X.X is the IP address of the FortiClient host machine.
To un-quarantine a managed FortiClient via FortiGate:
diagnose endpoint fctems queue-complete-calls U-X.X.X.X <- Where X.X.X.X is the IP address of the FortiClient host machine.
Accepted Syntax:
diagnose endpoint fctems queue-complete-calls
Pass a single argument with the format of <call>[,<call>[,<call>[,...]]].
Each <call> is in the following format: <CallType>-<IPv4>.
- <CallType> is a mandatory field that can be either `Q` (quarantine) or `U` (unquarantine).
- <IPv4> is a mandatory field that is the IP address of the client.
Valid examples:
Q-172.16.40.67,U-172.16.40.169
Q-172.16.41.78
Invalid examples:
Q-ab:cd:ef:12:34:56 (No <IPv4>)
q-172.16.40.67 (Invalid <CallType>)
On Multi-VDOM,
diagnose endpoint fctems queue-complete-calls
Pass a single argument with the format of <call>[,<call>[,<call>[,...]]].
Each <call> is in the following format: <CallType>-<IPv4>-<vfid>.
- <CallType> is a mandatory field that can be either `Q` (quarantine) or `U` (unquarantine).
- <IPv4> is a mandatory field that is the IP address of the client.
- <vfid> is a mandatory field that is the VFID of to which the client belongs.
Valid examples:
Q-172.16.40.67-0
Q-172.16.41.78-0,U-2-172.16.40.25-2
Invalid examples:
Q-ab:cd:ef:12:34:56 (No <IPv4> and <vfid>)
Q-172.16.40.67-root (not a valid vfid <vfid>)
q-172.16.40.67-0 (Invalid <CallType>)
Results:
diagnose endpoint fctems queue-complete-calls Q-10.115.2.52
SUCCESS! Queued the <call> 'Q-10.115.2.52'.
<call> stats: total=1, valid=1, queued=1.
diagnose endpoint fctems queue-complete-calls U-10.115.2.52
SUCCESS! Queued the <call> 'U-10.115.2.52'.
<call> stats: total=1, valid=1, queued=1.
SUCCESS! Queued the <call> 'U-10.115.2.52'.
<call> stats: total=1, valid=1, queued=1.
It is important to note that for the quarantine and un-quarantine features to function effectively, managed endpoints must have FortiGate as their default gateway. This could be a directly connected interface or endpoints that are connected to a VPN tunnel, provided they have access to FortiClient EMS and FortiOS.
Below is the debug output for the endpoint where FortiGate is not configured as the default gateway.
diagnose endpoint fctems queue-complete-calls Q-10.115.2.52
SUCCESS! Queued the <call> 'Q-10.115.2.52'.
<call> stats: total=1, valid=1, queued=1.
diagnose debug app fcnacd -1
diagnose debug enable
[_renew_resolver:219] called.
[ec_daemon_submit_quar_client_act:59] Could not find record of client 10.115.2.52 at vfid 0
[ec_ez_worker_base_prep_resolver:372] Outgoing interface index 0 for 2 (EMS-Server).
It is possible to leverage such features for on-fabric (on-premises) and off-fabric (off-premises) managed FortiClients. For on-fabric endpoints, there is a directly connected interface. For the off-fabric endpoints, an auto-connect VPN tunnel can be established.
Related articles:
