5.1.1 Enable Compromised Host Quarantine

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Default automation trigger configuration for when a high severity compromised host is detected.

Rationale:

By enabling this feature you protect your environment against compromised hosts. Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

GUI

Security Fabric>Automation

Edit and change Disabled to Enabled
CLI

config system automation-action
edit 'Quarantine on FortiSwitch + FortiAP'
set description 'Default automation action configuration for quarantining a MAC address on FortiSwitches and FortiAPs.'
set action-type quarantine
next
edit 'Quarantine FortiClient EMS Endpoint'
set description 'Default automation action configuration for quarantining a FortiClient EMS endpoint device.'
set action-type quarantine-forticlient
next
end
config system automation-trigger
edit 'Compromised Host - High'
set description 'Default automation trigger configuration for when a high severity compromised host is detected.'
next
end
config system automation-stitch
edit 'Compromised Host Quarantine'
set description 'Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS.'
set status disable
set trigger 'Compromised Host - High'
config actions
edit 1
set action 'Quarantine on FortiSwitch + FortiAP'
next
edit 2
set action 'Quarantine FortiClient EMS Endpoint'
next
end
next
end

Default Value:

Not enabled

See Also

https://workbench.cisecurity.org/files/4077

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-6, 800-53|SI-3(7)

Plugin: FortiGate

Control ID: cc9b1e4e519b1fdce3028f942bef0891a539701bf86d005cbfe56fb966d11577