Fortinet black logo

Administration Guide

Intrusion Prevention filtering options

Intrusion Prevention filtering options

Intrusion Prevention (IPS), detects and blocks network-based attacks. You can configure IPS sensors based on IPS signatures, IPS filters, outgoing connections to botnet sites, and rate-based signatures. FortiManager includes eight preloaded IPS sensors:

  • all_default
  • all_default_pass
  • default
  • high_security
  • protect_client
  • protect_email_server
  • protect_http_server
  • wifi-default

You can customize these sensors, or you can create your own and apply it to a firewall policy.

Note

This functionality requires a subscription to FortiGuard IPS Service.

Hold-time

The hold-time option allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update per VDOM. During the holding period, the signature's mode is monitor. The new signatures are enabled after the hold-time to avoid false positives.

The hold-time can be from 0 days and 0 hours (default) up to 7 days, in the format ##d##h.

To delay an IPS signature activation:
  1. Go to Device Manager > Device & Groups.
  2. Select a managed device.
  3. In the toolbar, click CLI Configuration. To display the menu, see Device DB - CLI Configurations.
  4. In configurations menu, go to System > IPS. The system ips dialog box is displayed.
  5. Ensure override-signature-hold-by-id is enabled.
  6. In the signature-hold-time field, enter the number of days or hours hold and monitor the IPS signatures.

CVE pattern

The CVE pattern option allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.

To add an IPS CVE filter:
  1. Go to Policy & Objects > Object Configurations > Security Profiles > Intrusion Prevention.

    If you are logged in as a Restricted Admin, go to Intrusion Prevention > Profiles.

  2. Create a new profile or select the profile you want to update.
  3. In the IPS Signatures and Filters section, create a new filter or select a filter to update. The Create New IPS Signatures and Filters dialog box is displayed.
  4. Add the CVE filter.
    1. Click the Filter icon.
    2. Click Add Filter > CVE ID.
    3. Enter the CVE ID, then click Use Filters, and click OK.
  5. Click OK.

Intrusion Prevention filtering options

Intrusion Prevention (IPS), detects and blocks network-based attacks. You can configure IPS sensors based on IPS signatures, IPS filters, outgoing connections to botnet sites, and rate-based signatures. FortiManager includes eight preloaded IPS sensors:

  • all_default
  • all_default_pass
  • default
  • high_security
  • protect_client
  • protect_email_server
  • protect_http_server
  • wifi-default

You can customize these sensors, or you can create your own and apply it to a firewall policy.

Note

This functionality requires a subscription to FortiGuard IPS Service.

Hold-time

The hold-time option allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update per VDOM. During the holding period, the signature's mode is monitor. The new signatures are enabled after the hold-time to avoid false positives.

The hold-time can be from 0 days and 0 hours (default) up to 7 days, in the format ##d##h.

To delay an IPS signature activation:
  1. Go to Device Manager > Device & Groups.
  2. Select a managed device.
  3. In the toolbar, click CLI Configuration. To display the menu, see Device DB - CLI Configurations.
  4. In configurations menu, go to System > IPS. The system ips dialog box is displayed.
  5. Ensure override-signature-hold-by-id is enabled.
  6. In the signature-hold-time field, enter the number of days or hours hold and monitor the IPS signatures.

CVE pattern

The CVE pattern option allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.

To add an IPS CVE filter:
  1. Go to Policy & Objects > Object Configurations > Security Profiles > Intrusion Prevention.

    If you are logged in as a Restricted Admin, go to Intrusion Prevention > Profiles.

  2. Create a new profile or select the profile you want to update.
  3. In the IPS Signatures and Filters section, create a new filter or select a filter to update. The Create New IPS Signatures and Filters dialog box is displayed.
  4. Add the CVE filter.
    1. Click the Filter icon.
    2. Click Add Filter > CVE ID.
    3. Enter the CVE ID, then click Use Filters, and click OK.
  5. Click OK.