Fortinet white logo
Fortinet white logo

CLI Reference

ips global

Configure IPS global parameter.

  config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set np-accel-mode [none|basic]
      set ips-reserve-cpu [disable|enable]
      set cp-accel-mode [none|basic|...]
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
      set packet-log-queue-depth {integer}
  end

config ips global

Parameter Name Description Type Size
fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
enable: Enable IPS fail open.
disable: Disable IPS fail open.
option -
database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
regular: IPS regular database package.
extended: IPS extended database package.
option -
traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
enable: Enable traffic submit.
disable: Disable traffic submit.
option -
anomaly-mode Global blocking mode for rate-based anomalies.
periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
option -
session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
accurate: Accurately count concurrent sessions, demands more resources.
heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
option -
intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
enable: Enable intelligent scan mode.
disable: Disable intelligent scan mode.
option -
socket-size IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 256
engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
enable: Enable use of kernel session TTL for IPS sessions.
disable: Disable use of kernel session TTL for IPS sessions.
option -
np-accel-mode Acceleration mode for IPS processing by NPx processors.
none: NPx acceleration disabled.
basic: NPx acceleration enabled.
option -
ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other than CPU 0
disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).
enable: Enable IPS daemon's use of CPUs other than CPU 0.
option -
cp-accel-mode IPS Pattern matching acceleration/offloading to CPx processors.
none: CPx acceleration/offloading disabled.
basic: Offload basic pattern matching to CPx processors.
advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
option -
deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
exclude-signatures Excluded signatures.
none: No signatures excluded.
industrial: Exclude industrial signatures.
option -
packet-log-queue-depth Packet/pcap log queue depth per IPS engine. integer Minimum value: 128 Maximum value: 4096

ips global

Configure IPS global parameter.

  config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set np-accel-mode [none|basic]
      set ips-reserve-cpu [disable|enable]
      set cp-accel-mode [none|basic|...]
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
      set packet-log-queue-depth {integer}
  end

config ips global

Parameter Name Description Type Size
fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
enable: Enable IPS fail open.
disable: Disable IPS fail open.
option -
database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
regular: IPS regular database package.
extended: IPS extended database package.
option -
traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
enable: Enable traffic submit.
disable: Disable traffic submit.
option -
anomaly-mode Global blocking mode for rate-based anomalies.
periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
option -
session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
accurate: Accurately count concurrent sessions, demands more resources.
heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
option -
intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
enable: Enable intelligent scan mode.
disable: Disable intelligent scan mode.
option -
socket-size IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 256
engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
enable: Enable use of kernel session TTL for IPS sessions.
disable: Disable use of kernel session TTL for IPS sessions.
option -
np-accel-mode Acceleration mode for IPS processing by NPx processors.
none: NPx acceleration disabled.
basic: NPx acceleration enabled.
option -
ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other than CPU 0
disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).
enable: Enable IPS daemon's use of CPUs other than CPU 0.
option -
cp-accel-mode IPS Pattern matching acceleration/offloading to CPx processors.
none: CPx acceleration/offloading disabled.
basic: Offload basic pattern matching to CPx processors.
advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
option -
deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
exclude-signatures Excluded signatures.
none: No signatures excluded.
industrial: Exclude industrial signatures.
option -
packet-log-queue-depth Packet/pcap log queue depth per IPS engine. integer Minimum value: 128 Maximum value: 4096