![]() The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change. Click OK in the Quarantine Host page to quarantine the device.Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu. ![]() On the FortiGate, go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.Using the CLI, based on the device’s MAC address:Ĭonfig user quarantine config targets edit “manual-qtn-1” set description “Manually quarantined” config macs edit 00:0c:29:d4:4f:3c This can limit the device’s access, or provide them specific information on the quarantine portal page. When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. Sticky MAC entries saved = 1 -> Number of saved Sticky MAC items is shown execute switch-controller switch-action sticky-mac delete-unsaved all S248EPTF1800XXXXĬonfigure the MAC Learning-limit under the VLAN or managed FortiSwitch ports view:Ĭonfig system interface edit vsw.aggr1 set switch-controller-learning-limit 10Ĭonfig switch-controller managed-switch edit S248EPTF1800XXXX config ports edit port6 set learning-limit 11 Warning: Please wait save will take longer time upto 30 seconds… Saving Sticky-MAC items from the running memory into the database, and deleting unsaved items, will ensure that, even after the FortiSwitch is rebooted, the trusted MAC addresses will be kept and will not need to be relearned.Įxecute switch-controller switch-action sticky-mac save all S248EPTF1800XXXX S248EPTF1800XXXX: Save started… Save Sticky-MAC items into the database and delete others: Dual chip device models (X48 and XX48 FortiSwitch models) do not support MAC Learning-limit on VLANs, but still support it on FortiSwitch ports.Įnable Sticky MAC on the FortiSwitch ports view:Ĭonfig switch-controller managed-switch edit S248EPTF18001384 config ports edit port6 set sticky-mac enableĬheck the MAC-table on the FortiSwitch to see that the status of related MAC items on the Sticky MAC enabled ports has changed from dynamic to static:.Sticky MAC save is hardware and CPU intensive if there are too many entries.Interfaces can be allowed to learn the MAC address of trusted workstations and servers from the time that the interfaces are connected to the network, until the MAC address limit is reached. The interface is secured because, after the specified limit has been reached, additional devices cannot connect to the port. This prevents layer 2 Denial of Service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the number of MAC addresses that are allowed while still allowing the interface to learn a specified number of MAC addresses. Persistent MAC learning, or Sticky MAC, is a port security feature that lets an interface retain dynamically learned MAC addresses when a switch is restarted, or an interface goes down and then is brought back online.Įnabling Sticky MAC along with MAC Learning-limit restricts the number of MAC addresses that are learned. MAC layer control – Sticky MAC and MAC Learning-limit
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |