Quarantining an endpoint from FortiOS using EMS
In FortiOS 6.0, an administrator can quarantine FortiClient endpoints using EMS by enabling the Quarantine FortiClient via EMS option. The following lists the requirements for this feature:
- The FortiClient endpoint is connected to FortiGate and managed by EMS
- The FortiClient endpoint and FortiGate use the same FortiAnalyzer
- The EMS managing the FortiClient endpoint is configured on the FortiGate. FortiOS allows configuration of up to three EMS servers to allow endpoint control in different locations.
Configuring Quarantine FortiClient via EMS requires using the FortiOS CLI to set the following fields:
forticlient-ems. See the FortiOS CLI Reference.
If Quarantine FortiClient via EMS is enabled, the following occurs when an indicator of compromise (IOC) is detected on an endpoint in the Security Fabric:
- An IOC is detected on an endpoint.
- FortiOS sends the endpoint information to EMS with instructions to quarantine the endpoint.
- EMS identifies and quarantines the endpoint based on the request from FortiOS.
You can remove the endpoint from quarantine using EMS as described in Quarantining endpoints or using FortiOS by following the procedure described below:
- The administrator identifies that EMS has quarantined an endpoint from one of the following:
- FortiClient on the endpoint
- Quarantine Management or FortiClient Monitor in FortiOS
- Endpoints pane in EMS
- The administrator removes the endpoint from quarantine in FortiOS.
- FortiOS sends the endpoint information to EMS with instructions to remove the endpoint from quarantine.
- EMS identifies and removes the endpoint from quarantine based on the request from FortiOS.