config ips global
Configure IPS global parameter.
config ips global Description: Configure IPS global parameter. set anomaly-mode [periodical|continuous] set av-mem-limit {integer} set cp-accel-mode [none|basic|...] set database [regular|extended] set deep-app-insp-db-limit {integer} set deep-app-insp-timeout {integer} set engine-count {integer} set exclude-signatures [none|ot] set fail-open [enable|disable] set ips-reserve-cpu [disable|enable] set ngfw-max-scan-range {integer} set np-accel-mode [none|basic] set packet-log-queue-depth {integer} set session-limit-mode [accurate|heuristic] set socket-size {integer} set sync-session-ttl [enable|disable] config tls-active-probe Description: TLS active probe configuration. set interface-select-method [auto|sdwan|...] set interface {string} set vdom {string} set source-ip {ipv4-address} set source-ip6 {ipv6-address} end set traffic-submit [enable|disable] end
config ips global
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
anomaly-mode |
Global blocking mode for rate-based anomalies. |
option |
- |
continuous |
||||||||
|
|
|||||||||||
av-mem-limit |
Maximum percentage of system memory allowed for use on AV scanning. To disable set to zero. When disabled, there is no limit on the AV memory usage. |
integer |
Minimum value: 10 Maximum value: 50 |
0 |
||||||||
cp-accel-mode * |
IPS Pattern matching acceleration/offloading to CPx processors. |
option |
- |
advanced |
||||||||
|
|
|||||||||||
database |
Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks. |
option |
- |
extended ** |
||||||||
|
|
|||||||||||
deep-app-insp-db-limit |
Limit on number of entries in deep application inspection database. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||||
deep-app-insp-timeout |
Timeout for Deep application inspection. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||||
engine-count |
Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. |
integer |
Minimum value: 0 Maximum value: 255 |
0 |
||||||||
exclude-signatures |
Excluded signatures. |
option |
- |
ot |
||||||||
|
|
|||||||||||
fail-open |
Enable to allow traffic if the IPS buffer is full. Default is disable and IPS traffic is blocked when the IPS buffer is full. |
option |
- |
disable |
||||||||
|
|
|||||||||||
ips-reserve-cpu * |
Enable/disable IPS daemon's use of CPUs other than CPU 0. |
option |
- |
disable |
||||||||
|
|
|||||||||||
ngfw-max-scan-range |
NGFW policy-mode app detection threshold. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
4096 |
||||||||
np-accel-mode * |
Acceleration mode for IPS processing by NPx processors. |
option |
- |
basic |
||||||||
|
|
|||||||||||
packet-log-queue-depth |
Packet/pcap log queue depth per IPS engine. |
integer |
Minimum value: 128 Maximum value: 4096 |
128 |
||||||||
session-limit-mode |
Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics). |
option |
- |
heuristic |
||||||||
|
|
|||||||||||
socket-size |
IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. |
integer |
Minimum value: 0 Maximum value: 256 ** |
128 ** |
||||||||
sync-session-ttl |
Enable/disable use of kernel session TTL for IPS sessions. |
option |
- |
enable |
||||||||
|
|
|||||||||||
traffic-submit |
Enable/disable submitting attack data found by this FortiGate to FortiGuard. |
option |
- |
disable |
||||||||
|
|
* This parameter may not exist in some models.
** Values may differ between models.
config tls-active-probe
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||
|
|
|||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||
vdom |
Virtual domain name for TLS active probe. |
string |
Maximum length: 31 |
|
||||||||
source-ip |
Source IP address used for TLS active probe. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||
source-ip6 |
Source IPv6 address used for TLS active probe. |
ipv6-address |
Not Specified |
:: |