Quarantining an endpoint from FortiOS using EMS
In FortiOS 6.0, an administrator can quarantine FortiClient endpoints using EMS by enabling the Quarantine FortiClient via EMS option. The following lists the requirements for this feature:
- The FortiClient endpoint is connected to FortiGate and managed by EMS
- The FortiClient endpoint and FortiGate use the same FortiAnalyzer
- The EMS server managing the FortiClient endpoint is configured on the FortiGate. See the FortiOS Handbook for details on the FortiGate configuration required.
If Quarantine FortiClient via EMS is enabled, the following occurs when an indicator of compromise (IOC) is detected on an endpoint in the Security Fabric:
- An IOC is detected on an endpoint.
- FortiAnalyzer sends the endpoint information to FortiOS.
- FortiOS sends the endpoint information to EMS.
- EMS identifies and quarantines the endpoint.