config ips global
Description: Configure IPS global parameter.
set fail-open [enable|disable]
set database [regular|extended]
set traffic-submit [enable|disable]
set anomaly-mode [periodical|continuous]
set session-limit-mode [accurate|heuristic]
set intelligent-mode [enable|disable]
set socket-size {integer}
set engine-count {integer}
set sync-session-ttl [enable|disable]
set np-accel-mode [none|basic]
set ips-reserve-cpu [disable|enable]
set cp-accel-mode [none|basic|...]
set deep-app-insp-timeout {integer}
set deep-app-insp-db-limit {integer}
set exclude-signatures [none|industrial]
set packet-log-queue-depth {integer}
end
Parameter Name | Description | Type | Size |
---|---|---|---|
fail-open | Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes. enable: Enable IPS fail open. disable: Disable IPS fail open. |
option | - |
database | Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks. regular: IPS regular database package. extended: IPS extended database package. |
option | - |
traffic-submit | Enable/disable submitting attack data found by this FortiGate to FortiGuard. enable: Enable traffic submit. disable: Disable traffic submit. |
option | - |
anomaly-mode | Global blocking mode for rate-based anomalies. periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration. continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings. |
option | - |
session-limit-mode | Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics). accurate: Accurately count concurrent sessions, demands more resources. heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases. |
option | - |
intelligent-mode | Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic. enable: Enable intelligent scan mode. disable: Disable intelligent scan mode. |
option | - |
socket-size | IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. | integer | Minimum value: 0 Maximum value: 256 |
engine-count | Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. | integer | Minimum value: 0 Maximum value: 255 |
sync-session-ttl | Enable/disable use of kernel session TTL for IPS sessions. enable: Enable use of kernel session TTL for IPS sessions. disable: Disable use of kernel session TTL for IPS sessions. |
option | - |
np-accel-mode | Acceleration mode for IPS processing by NPx processors. none: NPx acceleration disabled. basic: NPx acceleration enabled. |
option | - |
ips-reserve-cpu | Enable/disable IPS daemon's use of CPUs other than CPU 0 disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs). enable: Enable IPS daemon's use of CPUs other than CPU 0. |
option | - |
cp-accel-mode | IPS Pattern matching acceleration/offloading to CPx processors. none: CPx acceleration/offloading disabled. basic: Offload basic pattern matching to CPx processors. advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9. |
option | - |
deep-app-insp-timeout | Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). | integer | Minimum value: 0 Maximum value: 2147483647 |
deep-app-insp-db-limit | Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) | integer | Minimum value: 0 Maximum value: 2147483647 |
exclude-signatures | Excluded signatures. none: No signatures excluded. industrial: Exclude industrial signatures. |
option | - |
packet-log-queue-depth | Packet/pcap log queue depth per IPS engine. | integer | Minimum value: 128 Maximum value: 4096 |
config ips global
Description: Configure IPS global parameter.
set fail-open [enable|disable]
set database [regular|extended]
set traffic-submit [enable|disable]
set anomaly-mode [periodical|continuous]
set session-limit-mode [accurate|heuristic]
set intelligent-mode [enable|disable]
set socket-size {integer}
set engine-count {integer}
set sync-session-ttl [enable|disable]
set np-accel-mode [none|basic]
set ips-reserve-cpu [disable|enable]
set cp-accel-mode [none|basic|...]
set deep-app-insp-timeout {integer}
set deep-app-insp-db-limit {integer}
set exclude-signatures [none|industrial]
set packet-log-queue-depth {integer}
end
Parameter Name | Description | Type | Size |
---|---|---|---|
fail-open | Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes. enable: Enable IPS fail open. disable: Disable IPS fail open. |
option | - |
database | Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks. regular: IPS regular database package. extended: IPS extended database package. |
option | - |
traffic-submit | Enable/disable submitting attack data found by this FortiGate to FortiGuard. enable: Enable traffic submit. disable: Disable traffic submit. |
option | - |
anomaly-mode | Global blocking mode for rate-based anomalies. periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration. continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings. |
option | - |
session-limit-mode | Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics). accurate: Accurately count concurrent sessions, demands more resources. heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases. |
option | - |
intelligent-mode | Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic. enable: Enable intelligent scan mode. disable: Disable intelligent scan mode. |
option | - |
socket-size | IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. | integer | Minimum value: 0 Maximum value: 256 |
engine-count | Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. | integer | Minimum value: 0 Maximum value: 255 |
sync-session-ttl | Enable/disable use of kernel session TTL for IPS sessions. enable: Enable use of kernel session TTL for IPS sessions. disable: Disable use of kernel session TTL for IPS sessions. |
option | - |
np-accel-mode | Acceleration mode for IPS processing by NPx processors. none: NPx acceleration disabled. basic: NPx acceleration enabled. |
option | - |
ips-reserve-cpu | Enable/disable IPS daemon's use of CPUs other than CPU 0 disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs). enable: Enable IPS daemon's use of CPUs other than CPU 0. |
option | - |
cp-accel-mode | IPS Pattern matching acceleration/offloading to CPx processors. none: CPx acceleration/offloading disabled. basic: Offload basic pattern matching to CPx processors. advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9. |
option | - |
deep-app-insp-timeout | Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). | integer | Minimum value: 0 Maximum value: 2147483647 |
deep-app-insp-db-limit | Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) | integer | Minimum value: 0 Maximum value: 2147483647 |
exclude-signatures | Excluded signatures. none: No signatures excluded. industrial: Exclude industrial signatures. |
option | - |
packet-log-queue-depth | Packet/pcap log queue depth per IPS engine. | integer | Minimum value: 128 Maximum value: 4096 |