5.1.1 Enable Compromised Host Quarantine

Information

Default automation trigger configuration for when a high severity compromised host is detected.

By enabling this feature you protect your environment against compromised hosts. Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS.

Please note that this is only applicable if you have Fortinet's solution ecosystem (FortiGate with FortiAP, FortiSwitches, or FortiClient EMS).

Solution

GUI

Security Fabric > Automation

Edit and change Disabled to Enabled

CLI

config system automation-action
edit "Quarantine on FortiSwitch + FortiAP"
set description "Default automation action configuration for quarantining a MAC address on FortiSwitches and FortiAPs."
set action-type quarantine
next
edit "Quarantine FortiClient EMS Endpoint"
set description "Default automation action configuration for quarantining a FortiClient EMS endpoint device."
set action-type quarantine-forticlient
next
end
config system automation-trigger
edit "Compromised Host - High"
set description "Default automation trigger configuration for when a high severity compromised host is detected."
next
end
config system automation-stitch
edit "Compromised Host Quarantine"
set description "Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS."
set status enable
set trigger "Compromised Host - High"
config actions
edit 1
set action "Quarantine on FortiSwitch + FortiAP"
next
edit 2
set action "Quarantine FortiClient EMS Endpoint"
next
end
next
end

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17, 800-53|AC-17(1), 800-53|CM-6, 800-53|CM-7, 800-53|SC-7, 800-53|SI-4, CSCv7|8.1, CSCv7|8.3

Plugin: FortiGate

Control ID: ffd2aabfefb7b517163123da0d59127dbdc140042dbfb791a0433e8b9cdbe8b4