Starting in 5.4.1 you could “Quarantine” an IP address. This means that the quarantined host cannot communicate through the firewall.
There are many different parts of the firewall the quarantine an IP address. For example the AV and IPS can both automatically quarantine an IP if it meets a defined violation.
In 6.0 you can view the IPs that have been quarantined by going to Monitor- Quarantine. From here you can see what IPs are blocked, and for what reason. As you can see in the image below 220.127.116.11 has been blocked for 26 days by an admin. If an admin blocks an IP address (as we will see) it shows up with “Administrative” as the source.The other IPs have been blocked by the IPS engine. The below image shows the monitor section.
So, lets say that you look into Fortiview and see that a remote IP is sending/receiving a ton of bandwidth and you want make sure that stops. in this example lets quarantine the IP 18.104.22.168.
In this example we can act like I was looking through Fortiview and found an issue that makes me want to block the above IP. You can just click on the IP you would like to block, right click and then select to “quarantine”. When you do this, it will pop up and ask for the length of time you would like to block them for.
The above shows that it will ban the IP from communication for the given period of time.
So, lets say we want to remove an IP address that has been quarantined – No problem, just need to go to Monitor-Quarantine and click on the IP and delete that individual or click to delete all entries.
You can modify how long and for what reason the IPS/AV quarantine an address for within the policy. For example, below shows modifying the reason/time of quarantine. The AV settings are within the CLI of the AV policy under “nac-quar”. Something to note, sources are not quarantined by default.
This entry details the config for setting up and deploying VRFs on a Ruckus ICX 7250. Recently I had an issue where a client had a new ISP and that ISP gave them the Customer WAN /30 subnet, then routed their Customer LAN subnet (Public usable addresses) to their side of the /30. The customer did not want any extra equipment installed like a router to handle the WAN routing, so the next best thing was to split the Ruckus 7250 switch into a WAN/LAN router – One switch to rule them all! The VRF feature is in Ruckus’s Layer 3 Premium feature set so a license will be needed. In this scenario the 7250 is the local gateway for all Vlans – so local LAN routing, and the Internet router.
Of course there are a lot of problems with the following design, like single point of failure, but its a small site, with 1 48 port switch, Fortigate firewall and cloud Voip SD-WAN router. The purpose of this design is to allow the Voip SD-WAN solution to be outside the firewall, so using the 7250 for both LAN/WAN routing really and it worked well. If the ISP would have not required a customer routing device we would have just setup a Internet-Vlan, set Fortigate/INSpeed to public IPs, and placed them in that vlan. But, the ISP is requiring a routing device in this instance.
Here is the design.
I think the ICX series supported VRFs when it was running Brocade firmware, but I would recommend upgrading to Ruckus’s ICX firmware – Version number SPR08080 or greater. Of course the device has to be running the Routing firmware not the switching code. The VRF feature is in Ruckus’s Layer 3 Premium feature set so a license will be needed.
First lets enable the VRF, and increase the amount of routes.
These commands will enable the VRF functionality and it will need you to reboot.
Next we can start configuring our VRF. In this case my /30 will be 22.214.171.124/29 – so .1 will be the ISP, .2 will be us. I will setup the routes for the VRF, and then the Vlan interface and apply the /30. There is a keyword in the VE config to make sure its associated to a given VRF. Within the VRF config you need to specifcy the Route Identifier – only matters locally.
vrf INTERNET-VRF rd 11:11 ip router-id 126.96.36.199 address-family ipv4 ip route 0.0.0.0/0 188.8.131.52 exit-address-family exit-vrf
vlan 300 name INTERNET-VRF by port — My WAN Vlan for Fortigate WAN and SD-WAN router WAN interface. The Customer LAN Subnet goes here. untagged ethe 1/1/19 ethe 2/1/23 router-interface ve 300 spanning-tree 802-1w spanning-tree 802-1w priority 4094 ! vlan 400 name ISP-VRF by port — /30 ISP network untagged ethe 1/1/24 router-interface ve 400 !
interface ve 400 vrf forwarding ISP-VRF – This is the command to associate the VE to the VRF ip address 184.108.40.206/30
interface ve 300 vrf forwarding INTERNET-VRF – This is the command to associate the VE to the VRF ip address 220.127.116.11/29
Here is a subset of my user config – Vlan 40 – this is where most of the desktops go, and the gateway in this case 10.6.40.1/24 lives on the switch, on the default VRF.
vlan 40 name Computers by port untagged ethe 1/1/1 to 1/1/18 ethe 1/1/21 ethe 2/1/1 to 2/1/18 ethe 2/1/22 router-interface ve 40 spanning-tree 802-1w spanning-tree 802-1w priority 4094 ! ! show run int ve 40 interface ve 40 ip address 10.6.40.1 255.255.252.0
ip helper-address 1 10.6.10.10
Thats it! A show IP route of the default VRF (Switching VRF) shows:
#show ip route Total number of IP routes: 9 Type Codes – B:BGP D:Connected O:OSPF R:RIP S:Static; Cost – Dist/Metric BGP Codes – i:iBGP e:eBGP OSPF Codes – i:Inter Area 1:External Type 1 2:External Type 2 Destination Gateway Port Cost Type Upti me 1 0.0.0.0/0 10.6.254.2 ve 254 1/1 S 1d17 h — This is the Fortigate 2 10.6.0.0/22 DIRECT ve 1 0/0 D 1d17 h 3 10.6.10.0/24 DIRECT ve 10 0/0 D 21h4 m 4 10.6.40.0/22 DIRECT ve 40 0/0 D 1d17 h 5 10.6.100.0/24 DIRECT ve 100 0/0 D 1d18 h 6 10.6.254.0/24 DIRECT ve 254 0/0 D 1d17 h 7 172.16.6.0/29 DIRECT ve 650 0/0 D 1m5s 8 192.168.6.0/24 DIRECT ve 1 0/0 D 1d17 h 9 192.168.100.0/24 172.16.6.1 ve 650 1/1 S 1m4s
But, if we specifcally show the Internet-VRF routes:
#show ip route vrf INTERNET-VRF Total number of IP routes: 3 Type Codes – B:BGP D:Connected O:OSPF R:RIP S:Static; Cost – Dist/Metric BGP Codes – i:iBGP e:eBGP OSPF Codes – i:Inter Area 1:External Type 1 2:External Type 2 Destination Gateway Port Cost Type Uptime 1 0.0.0.0/0 18.104.22.168 ve 400 1/1 S 21h4m 2 22.214.171.124/30 DIRECT ve 300 0/0 D 20h57m 3 126.96.36.199/29 DIRECT ve 400 0/0 D 21h5m
And there we have it, the devices is now in two VRFs, a default and INTERNET-VRF with specific interfaces assigned to it. If you want to test pinging from that VRF specifically you can use the following commands:
#ping vrf INTERNET-VRF 188.8.131.52 Sending 1, 16-byte ICMP Echo to 184.108.40.206, timeout 5000 msec, TTL 64 Type Control-c to abort Reply from 220.127.116.11 : bytes=16 time=1ms TTL=122 Success rate is 100 percent (1/1), round-trip min/avg/max=1/1/1 ms.