NAC quarantine and the Banned User list User
FortiGate Version 4.0 MR1 Administration Guide
678 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Figure 423: IM user monitor list
NAC quarantine and the Banned User list
You can use Network Access Control (NAC) quarantine to block access through the
FortiGate unit when virus scanning detects a virus, or when an IPS sensor or a DoS
sensor detects an attack. You can configure NAC quarantine for IPS sensor filters and
overrides. NAC quarantine blocks access for the IP address that sent the virus or attack or
blocks all traffic from connecting to the FortiGate interface that received the virus or attack.
You can also configure IPS sensors and DoS sensors to block communication between
the IP address that sent the attack and the target or receiver (victim) of the attack. NAC
quarantine blocking drops blocked packets at the network layer before the packets are
accepted by firewall policies.
NAC quarantine adds blocked IP addresses or interfaces to the Banned User list. To view
the Banned User list, go to User > Monitor > Banned User. When you configure NAC
quarantine settings, you can specify how long to block the IP addresses or interfaces.
FortiGate administrators can manually enable access again by removing IP addresses or
interfaces from the Banned User list. Removing an IP address from the Banned User list
means the user can start accessing network services through the FortiGate unit again.
Removing an interface from the list means the interface can resume normal receiving and
processing of communication sessions. For more information, see “The Banned User list”
on page 680.
NAC quarantine and DLP
You can also use Data Leak Prevention (DLP) sensors to block access and to add users
to the Banned User list. However, unlike NAC quarantine, which drops packets at the
network layer, DLP blocks packets at the application layer, after the packets have been
accepted by firewall policies. Because of this difference, with DLP you have more control
over what is blocked and what is not. For example, if a DLP sensor matches content in an
Protocol Filter the list by selecting the protocol for which to display current users: AIM, ICQ,
MSN, or Yahoo. All current users can also be displayed.
# The position number of the IM user in the list.
Protocol The protocol being used.
User Name The name selected by the user when registering with an IM protocol. The same user
name can be used for multiple IM protocols. Each user name/protocol pair appears
separately in the list.
Source IP The Address from which the user initiated the IM session.
Last Login The last time the current user used the protocol.
Block Select to add the user name to the permanent black list. Each user name/protocol pair
must be explicitly blocked by the administrator.
Caution: If you have configured NAC quarantine to block IP addresses and if the FortiGate
unit receives sessions that have passed through a NAT device, all traffic—not just
individual users—could be blocked from that NAT device.
To Next Page
Loading...
Need help?
General