Default automation trigger configuration for when a high severity compromised host is detected. Rationale: By enabling this feature you protect your environment against compromised hosts. Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
GUI Security Fabric>Automation Edit and change Disabled to Enabled CLI config system automation-action edit 'Quarantine on FortiSwitch + FortiAP' set description 'Default automation action configuration for quarantining a MAC address on FortiSwitches and FortiAPs.' set action-type quarantine next edit 'Quarantine FortiClient EMS Endpoint' set description 'Default automation action configuration for quarantining a FortiClient EMS endpoint device.' set action-type quarantine-forticlient next end config system automation-trigger edit 'Compromised Host - High' set description 'Default automation trigger configuration for when a high severity compromised host is detected.' next end config system automation-stitch edit 'Compromised Host Quarantine' set description 'Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS.' set status disable set trigger 'Compromised Host - High' config actions edit 1 set action 'Quarantine on FortiSwitch + FortiAP' next edit 2 set action 'Quarantine FortiClient EMS Endpoint' next end next end Default Value: Not enabled