Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security ips profile

The FortiADC Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS profiles, each containing a complete configuration based on signatures. Then, you can apply any IPS profile to any L4 VS.

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

Use this command to configure an IPS profile.

Syntax

config security ips profile

edit <profile>

set comment {comment}

config entries

edit {id}

set rule {id1 id2 ….}

set status {disable | enable | default}

set log {disable | enable}

set action {pass | block | default}

set location {loc1 loc2…}

set severity {sev1 serv2…}

set protocol {proto1 proto2…}

set application {app1 app2…}

set os {os1 os2…}

set rate-count {count}

set rate-duration {duration}

set rate-mode {periodical | continuous}

set rate-track {field}

next

end

 

config load-balance virtual-server

set type l4-load-balance

set ips-profile {name}

next

end

rule Use rule ID to identify the predefined IPS signatures to add to profile.
status

Specify status of the signatures included in filter. Default is default.

  • Default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
  • Enable
  • Disable
log

Specify the logging status of the signatures included in the filter.

  • Default is the default. Default enables logging only for filters with default status that is set to enable. Filters with a default logging status of disable will not be logged.
  • Enable
  • Disable
action

Specify what action is taken with traffic in which signatures are detected. Default is the default.

  • block will drop the session with offending traffic.
  • pass allow the traffic.
  • default either pass or drop matching traffic, depending on the default action of each signature.
location

Specify the type of system to be protected. Default is all.

  • All
  • Client
  • Server
severity

Relative importance of signature, from info to critical. Default is all.

  • all
  • info
  • low
  • medium
  • high
  • critical
protocol

Specify protocols to be examined.

  • ? lists available protocols.
  • all includes all protocols.
  • other includes all unlisted protocols
application

Specify applications to be protected.

  • ? lists available applications.
  • all includes all applications.
  • other includes all unlisted applications.
os

Specify operating systems to be protected. Default is all.

  • all includes all operating systems.
  • other includes all unlisted operating systems
rate-count Count of the rate. range[0-65535]
rate-duration Duration (sec) of the rate. range[1-65535]
rate-mode

Rate limit mode.

  • periodical Allow configured number of packets every rate-duration.
  • continuous Block packets once the rate is reached.
rate-track

Track the packet protocol field.

  • none none
  • src-ip Source IP.
  • dest-ip Destination IP.

 

Example

ADC-6 (profile) # show full

config security ips profile

edit "default"

set comments "Prevent critical attacks."

config entries

edit 1

unset rule

set log enable

set status default

set action default

set location ALL

set severity medium high critical

set protocol ALL

set os ALL

set application ALL

next

end

next

config security ips profile

The FortiADC Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS profiles, each containing a complete configuration based on signatures. Then, you can apply any IPS profile to any L4 VS.

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

Use this command to configure an IPS profile.

Syntax

config security ips profile

edit <profile>

set comment {comment}

config entries

edit {id}

set rule {id1 id2 ….}

set status {disable | enable | default}

set log {disable | enable}

set action {pass | block | default}

set location {loc1 loc2…}

set severity {sev1 serv2…}

set protocol {proto1 proto2…}

set application {app1 app2…}

set os {os1 os2…}

set rate-count {count}

set rate-duration {duration}

set rate-mode {periodical | continuous}

set rate-track {field}

next

end

 

config load-balance virtual-server

set type l4-load-balance

set ips-profile {name}

next

end

rule Use rule ID to identify the predefined IPS signatures to add to profile.
status

Specify status of the signatures included in filter. Default is default.

  • Default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
  • Enable
  • Disable
log

Specify the logging status of the signatures included in the filter.

  • Default is the default. Default enables logging only for filters with default status that is set to enable. Filters with a default logging status of disable will not be logged.
  • Enable
  • Disable
action

Specify what action is taken with traffic in which signatures are detected. Default is the default.

  • block will drop the session with offending traffic.
  • pass allow the traffic.
  • default either pass or drop matching traffic, depending on the default action of each signature.
location

Specify the type of system to be protected. Default is all.

  • All
  • Client
  • Server
severity

Relative importance of signature, from info to critical. Default is all.

  • all
  • info
  • low
  • medium
  • high
  • critical
protocol

Specify protocols to be examined.

  • ? lists available protocols.
  • all includes all protocols.
  • other includes all unlisted protocols
application

Specify applications to be protected.

  • ? lists available applications.
  • all includes all applications.
  • other includes all unlisted applications.
os

Specify operating systems to be protected. Default is all.

  • all includes all operating systems.
  • other includes all unlisted operating systems
rate-count Count of the rate. range[0-65535]
rate-duration Duration (sec) of the rate. range[1-65535]
rate-mode

Rate limit mode.

  • periodical Allow configured number of packets every rate-duration.
  • continuous Block packets once the rate is reached.
rate-track

Track the packet protocol field.

  • none none
  • src-ip Source IP.
  • dest-ip Destination IP.

 

Example

ADC-6 (profile) # show full

config security ips profile

edit "default"

set comments "Prevent critical attacks."

config entries

edit 1

unset rule

set log enable

set status default

set action default

set location ALL

set severity medium high critical

set protocol ALL

set os ALL

set application ALL

next

end

next