Description
A user or IP address can be quarantined and added to Banned User list because of DLP/IPS/AV/DOS.
All sessions started by users or IP addresses on the Banned User list are blocked until the user or IP address is removed from the list or reaches it's expiry.
In FortiOS 5.0, use the command "get user ban list" to see Banned User list.
Viewing the Banned User List in FortiOS 5.2
In FortiOS 5.2, use the following command to see Banned User list.
FGT# diagnose firewall ip_host list
The sample output looks like this.
FGT# diagnose firewall ip_host list
src-ip-addr created expires cause
192.168.3.110 Wed Mar 4 15:22:24 2015 Wed Mar 4 15:24:24 2015 DLP
192.168.3.111 Wed Mar 4 15:23:23 2015 Wed Mar 4 16:23:23 2015 IPS
Explanation of each field
src-ip-addr: The IP address of the quarantined user.
created: The time that the IP address was added to the list.
expires: Shows the time that the entry will be expired and removed from the list.
cause: The reason that this IP address was added to the Banned User list.
Related Options
1. add/delete an entry
In order to delete an entry use the following command.
FGT# diagnose firewall ip_host delete src4/src6 <ipv4/ipv6>
Here is an example.
FGT# diagnose firewall ip_host delete src4 192.168.3.111
To add an entry to the list.
FGT# diagnose firewall ip_host add src4/src6 <ipv4/ipv6> <expiry> <ban_source(dlp/ips/av/dos)>
The following example shows how to add the IP address 192.168.3.111 to the list and set the cause to "IPS" which expires after 3600 seconds.
FGT# diagnose firewall ip_host add src4 192.168.3.111 3600 ips
2. Show statistics
To view the number of entries in the list
FGT# diagnose firewall ip_host stat
iph_size=2
3. Clear the list
The following command will clear the whole list.
FGT#diagnose firewall ip_host clear
Scope
FortiOS v5.2. See the related article for v5.4.
Related Articles
Technical Note: Viewing Banned User List using the CLI
