ips sensor
The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override rules. Each filter specifies a number of signature attributes and all signatures matching all the specified attributes are included in the filter.
| Command | Description |
|---|---|
|
set extended log {enable | disable} |
When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens. Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for. |
config ips sensor
edit {name}
# Configure IPS sensor.
set name {string} Sensor name. size[35]
set comment {string} Comment. size[255]
set replacemsg-group {string} Replacement message group. size[35] - datasource(s): system.replacemsg-group.name
set block-malicious-url {disable | enable} Enable/disable malicious URL blocking.
set extended-log {enable | disable} Enable/disable extended logging.
config entries
edit {id}
# IPS sensor filter.
set id {integer} Rule ID in IPS database (0 - 4294967295). range[0-4294967295]
config rule
edit {id}
# Identifies the predefined or custom IPS signatures to add to the sensor.
set id {integer} Rule IPS. range[0-4294967295]
next
set location {string} Protect client or server traffic.
set severity {string} Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.
set protocol {string} Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols.
set os {string} Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems.
set application {string} Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications.
set status {disable | enable | default} Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
set log {disable | enable} Enable/disable logging of signatures included in filter.
set log-packet {disable | enable} Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
set log-attack-context {disable | enable} Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
set action {pass | block | reset | default} Action taken with traffic in which signatures are detected.
pass Pass or allow matching traffic.
block Block or drop matching traffic.
reset Reset sessions for matching traffic.
default Pass or drop matching traffic, depending on the default action of the signature.
set rate-count {integer} Count of the rate. range[0-65535]
set rate-duration {integer} Duration (sec) of the rate. range[1-65535]
set rate-mode {periodical | continuous} Rate limit mode.
periodical Allow configured number of packets every rate-duration.
continuous Block packets once the rate is reached.
set rate-track {option} Track the packet protocol field.
none none
src-ip Source IP.
dest-ip Destination IP.
dhcp-client-mac DHCP client.
dns-domain DNS domain.
config exempt-ip
edit {id}
# Traffic from selected source or destination IP addresses is exempt from this signature.
set id {integer} Exempt IP ID. range[0-4294967295]
set src-ip {ipv4 classnet} Source IP address and netmask.
set dst-ip {ipv4 classnet} Destination IP address and netmask.
next
set quarantine {none | attacker} Quarantine method.
none Quarantine is disabled.
attacker Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
set quarantine-expiry {string} Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
set quarantine-log {disable | enable} Enable/disable quarantine logging.
next
config filter
edit {name}
# IPS sensor filter.
set name {string} Filter name. size[31]
set location {string} Vulnerability location filter.
set severity {string} Vulnerability severity filter.
set protocol {string} Vulnerable protocol filter.
set os {string} Vulnerable OS filter.
set application {string} Vulnerable application filter.
set status {disable | enable | default} Selected rules status.
set log {disable | enable} Enable/disable logging of selected rules.
set log-packet {disable | enable} Enable/disable packet logging of selected rules.
set action {pass | block | reset | default} Action of selected rules.
pass Pass or allow matching traffic.
block Block or drop matching traffic.
reset Reset sessions for matching traffic.
default Pass or drop matching traffic, depending on the default action of the signature.
set quarantine {none | attacker} Quarantine IP or interface.
none Quarantine is disabled.
attacker Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
set quarantine-expiry {integer} Duration of quarantine in minute. range[1-2147483647]
set quarantine-log {disable | enable} Enable/disable logging of selected quarantine.
next
config override
edit {rule-id}
# IPS override rule.
set rule-id {integer} Override rule ID. range[0-4294967295]
set status {disable | enable} Enable/disable status of override rule.
set log {disable | enable} Enable/disable logging.
set log-packet {disable | enable} Enable/disable packet logging.
set action {pass | block | reset} Action of override rule.
pass Pass or allow matching traffic.
block Block or drop matching traffic.
reset Reset sessions for matching traffic.
set quarantine {none | attacker} Quarantine IP or interface.
none Quarantine is disabled.
attacker Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
set quarantine-expiry {integer} Duration of quarantine in minute. range[1-2147483647]
set quarantine-log {disable | enable} Enable/disable logging of selected quarantine.
config exempt-ip
edit {id}
# Exempted IP.
set id {integer} Exempt IP ID. range[0-4294967295]
set src-ip {ipv4 classnet} Source IP address and netmask.
set dst-ip {ipv4 classnet} Destination IP address and netmask.
next
next
next
end
Additional information
The following section is for those options that require additional explanation.
block-malicious-url {enable | disable}
Enable or disable (by default) blocking of malicious URLs.
replacemsg-group <replacemsg_str>
Specify the replacement message group.
config entries
rule <rule1_int> [<rule2_int> <rule3_int> ...]
Use rule ID to identify the predefined or custom IPS signatures to add to sensor.
location {all | client | server}
Specify the type of system to be protected. Default is all.
severity {all | info | low | medium | high | critical}
Relative importance of signature, from info to critical. Default is all.
protocol <prot1_str> [<prot2_str> <prot3_str> . . .]
Specify protocols to be examined.
?lists available protocols.allincludes all protocols.otherincludes all unlisted protocols
os {all | other | windows | linux | bsd | solaris | macos}
Specify operating systems to be protected. Default is all.
allincludes all operating systems.otherincludes all unlisted operating systems
application <app1_str> [<app2_str> <app3_str>. . .]
Specify applications to be protected.
?lists available applications.allincludes all applications.otherincludes all unlisted applications.
tags <tag_str>
Assign a custom tag filter to the IPS sensor. Tag must first be configured by using config system object-tagging. To see what tags are available for use, use the command set tags ?. Separate multiple values with a space.
status {default | enable | disable}
Specify status of the signatures included in filter. Default is default.
defaultenables the filter and only use filters with default status of enable. Filters with default status ofdisablewill not be used.
log {default | enable | disable}
Specify the logging status of the signatures included in the filter. Default is default.
defaultenable logging for only the filters with a default logging status of enable. Filters with a default logging status of disable will not be logged.
log-packet {enable | disable}
Enable/disable packet logging. enable saves the packet that triggers the filter. Default is disable.
You can download the packets in pcap format for diagnostic use.
log-attack-context {default | enable | disable}
Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer. Default is disable.
action {block | default | pass | reject}
Specify what action is taken with traffic in which signatures are detected. Default is default.
blockwill drop the session with offending traffic.passallow the traffic.rejectreset the session.defaulteither pass or drop matching traffic, depending on the default action of each signature.
quarantine {attacker | none}
Specify how the FortiGate will quarantine attackers. Default is none.
attackerblocks all traffic sent from attacker’s IP address. The attacker’s IP address is also added to the banned user list. The target’s address is not affected.nonedisables the adding of addresses to the quarantine.
config exempt-ip
This subcommand is available after rule has been set.
edit <exempt-ip_id>
Enter the ID number of an exempt-ip entry. For a list of the exempt-ip entries in the IPS sensor, enter ? instead of an ID. Enter a new ID to create a new exempt-ip.
dst-ip <ip4mask>
Enter destination IP address and netmask to exempt.
src-ip <ip4mask>
Enter source IP address and netmask to exempt.