config ips global
Configure IPS global parameter.
config ips global Description: Configure IPS global parameter. set fail-open [enable|disable] set database [regular|extended] set traffic-submit [enable|disable] set anomaly-mode [periodical|continuous] set session-limit-mode [accurate|heuristic] set socket-size {integer} set engine-count {integer} set sync-session-ttl [enable|disable] set deep-app-insp-timeout {integer} set deep-app-insp-db-limit {integer} set exclude-signatures [none|industrial] set packet-log-queue-depth {integer} config tls-active-probe Description: TLS active probe configuration. set interface-select-method [auto|sdwan|...] set interface {string} set vdom {string} set source-ip {ipv4-address} set source-ip6 {ipv6-address} end end
config ips global
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
fail-open |
Enable to allow traffic if the IPS buffer is full. Default is disable and IPS traffic is blocked when the IPS buffer is full. |
option |
- |
disable |
||||||
|
|
|||||||||
database |
Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks. |
option |
- |
extended |
||||||
|
|
|||||||||
traffic-submit |
Enable/disable submitting attack data found by this FortiProxy to FortiGuard. |
option |
- |
disable |
||||||
|
|
|||||||||
anomaly-mode |
Global blocking mode for rate-based anomalies. |
option |
- |
continuous |
||||||
|
|
|||||||||
session-limit-mode |
Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics). |
option |
- |
heuristic |
||||||
|
|
|||||||||
socket-size |
IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. |
integer |
Minimum value: 0 Maximum value: 256 |
128 |
||||||
engine-count |
Number of IPS engines running. If set to the default value of 0, FortiProxy sets the number to optimize performance depending on the number of CPU cores. |
integer |
Minimum value: 0 Maximum value: 255 |
0 |
||||||
sync-session-ttl |
Enable/disable use of kernel session TTL for IPS sessions. |
option |
- |
enable |
||||||
|
|
|||||||||
deep-app-insp-timeout |
Timeout for Deep application inspection. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||
deep-app-insp-db-limit |
Limit on number of entries in deep application inspection database. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||
exclude-signatures |
Excluded signatures. |
option |
- |
industrial |
||||||
|
|
|||||||||
packet-log-queue-depth |
Packet/pcap log queue depth per IPS engine. |
integer |
Minimum value: 128 Maximum value: 4096 |
128 |
config tls-active-probe
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||
|
|
|||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||
vdom |
Virtual domain name for TLS active probe. |
string |
Maximum length: 31 |
|
||||||||
source-ip |
Source IP address used for TLS active probe. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||
source-ip6 |
Source IPv6 address used for TLS active probe. |
ipv6-address |
Not Specified |
:: |