| Description | This article describes the scenario when Host machines remained quarantined despite being removed from the quarantine/banned IP list. |
| Scope | FortiGate v5.x.x, v6.x.x and v7.x.x. |
| Solution |
When FortiGate triggers rate-based IPS signatures, for example, an IPS signature with a threshold count of 3 (for instance, 3 failed RDC Attempts), a rate duration of 120 seconds, a quarantine timer of 15 minutes, and the track by option as source IP. On its third RDC attempt within 120 seconds, the host machine will be quarantined for 15 minutes.
If the source IP is removed from the banned IP (quarantine) list 'diag user delete src4 x.x.x.x' before the rate duration of 120 seconds elapses, on its fourth attempt within 120 seconds, the source IP will be quarantined again and that means the rate count was not reset. However, if the source is removed from the banned IP list after the threshold timer expires, the source will get 3 more attempts before it gets quarantined.
This is an expected behavior across all versions of the FortiOS. |
