User
NAC quarantine and the Banned User list
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
595
•
NAC quarantine and the Banned User list
You can use Network Access Control (NAC) quarantine to block access through the
FortiGate unit when virus scanning detects a virus, or when an IPS sensor or a DoS
sensor detects an attack. You can configure NAC quarantine for IPS sensor filters and
overrides. NAC quarantine blocks access for the IP address that sent the virus or attack or
blocks all traffic from connecting to the FortiGate interface that received the virus or attack.
You can also configure IPS sensors and DoS sensors to block communication between
the IP address that sent the attack and the target or receiver (victim) of the attack. NAC
quarantine blocking drops blocked packets at the network layer before the packets are
accepted by firewall policies.
NAC quarantine adds blocked IP addresses or interfaces to the Banned User list. To view
the Banned User list, go to
User > Monitor > Banned User
. When you configure NAC
quarantine settings, you can specify how long to block the IP addresses or interfaces.
FortiGate administrators can manually enable access again by removing IP addresses or
interfaces from the Banned User list. Removing an IP address from the Banned User list
means the user can start accessing network services through the FortiGate unit again.
Removing an interface from the list means the interface can resume normal receiving and
processing of communication sessions. For more information, see
.
NAC quarantine and DLP
You can also use Data Leak Prevention (DLP) sensors to block access and to add users
to the Banned User list. However, unlike NAC quarantine, which drops packets at the
network layer, DLP blocks packets at the application layer,
after
the packets have been
accepted by firewall policies. Because of this difference, with DLP you have more control
over what is blocked and what is not. For example, if a DLP sensor matches content in an
SMTP email message, you can configure DLP to block all SMTP email from a sender
identified in the “From:” field of the email messages, without blocking the user from web
browsing. DLP will also add the sender’s name to the Banned User list. For more
information about using actions in DLP sensors, see
“Adding or editing a rule in a DLP
NAC quarantine and DLP replacement messages
A user who is blocked by NAC quarantine or a DLP sensor with action set to
Quarantine
IP address
will typically attempt to start an HTTP session through the FortiGate unit using
TCP port 80. When this happens, the FortiGate unit connects the user to one of four NAC
quarantine web pages displaying messages that access has been blocked. You can
customize these web pages by going to
System > Config > Replacement Messages
and
editing the NAC Quarantine replacement messages. For more information, see
quarantine replacement messages” on page 204
.
Last Login
The last time the current user used the protocol.
Block
Select to add the user name to the permanent black list. Each user name/protocol pair
must be explicitly blocked by the administrator.
Caution:
If you have configured NAC quarantine to block IP addresses and if the FortiGate
unit receives sessions that have passed through a NAT device, all traffic—not just
individual users—could be blocked from that NAT device.
Содержание Gate 60D
Страница 678: ...Reports Log Report FortiGate Version 4 0 Administration Guide 678 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 704: ...Index FortiGate Version 4 0 Administration Guide 704 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 705: ...www fortinet com...
Страница 706: ...www fortinet com...