Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.2.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home Container FortiOS 7.2.2 Administration Guide
    7.2.2
    7.2.2
    7.2.1

    Configuring a policy with an IPS sensor

    Configuring a policy with an IPS sensor

    In this example, all traffic passing through the container is scanned using an IPS sensor.

    Examples

    CLI example

    The following process details the configuration of a policy with an IPS sensor in the CLI.

    To configure a policy with IPS in the CLI:

    1. Configure the firewall policy:

      config firewall policy
    edit 1
        set status enable
        set utm-status enable
        set name "IPS policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set ssl-ssh-profile "deep-inspection"
        set ips-sensor "high_security"
        set action accept
        set logtraffic all
    next
end

    2. Verify that the policy is scanning the traffic:

      1. In a connected device, run the following command, substituting ip_address with the IP address of one of the container ports:

        nmap <ip_address>

      2. In the container CLI, view the utm-ips log:

        execute log filter category utm-ips
        execute log display

        The log includes entries similar to the following:

        date=2024-04-01 time=16:00:01 eventtime=1711987201 tz="+0000" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" severity="low" srcip=192.168.154.200 dstip=192.168.154.50 srcintf="eth1" dstintf="intf-0" sessionid=4846 action="detected" proto=6 service="TCP" policyid=1 attack="Port.Scanning" srcport=41474 dstport=17 direction="outgoing" attackid=43814 profile="high_security" incidentserialno=238026758 msg="applications: Port.Scanning"

    REST API example

    The following process details the configuration of a policy with an IPS sensor with the REST API.

    The REST API in this example is configured to listen on eth1 address 192.168.1.1.

    To configure a policy with IPS with the REST API:

    1. Configure the firewall policy:

      curl -H "Content-Type: application/json" -X POST -d '{ "data":{
    "policyid": "1", 
    "name": "IPS policy",  
    "status": "enable", 
    "srcintf": [{"name": "any"}], 
    "dstintf": [{"name": "any"}], 
    "srcaddr": [{"name": "all"}], 
    "dstaddr": [{ "name": "all" }], 
    "service": [{"name":"ALL"}], 
    "utm-status": "enable",
    "ssl-ssh-profile": "deep-inspection",
    "ips-sensor": "high_security",
    "action": "accept", 
    "logtraffic": "all"
}}' http://192.168.1.1/api/v2/cmdb/firewall/policy

    2. Verify that the policy is scanning the traffic:

      1. In a connected device, run the following command, substituting ip_address with the IP address of one of the container ports:

        nmap <ip_address>

      2. In the container CLI, view the utm-ips log:

        execute log filter category utm-ips
        execute log display

        The log includes entries similar to the following:

        date=2024-04-01 time=16:00:01 eventtime=1711987201 tz="+0000" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" severity="low" srcip=192.168.154.200 dstip=192.168.154.50 srcintf="eth1" dstintf="intf-0" sessionid=4846 action="detected" proto=6 service="TCP" policyid=1 attack="Port.Scanning" srcport=41474 dstport=17 direction="outgoing" attackid=43814 profile="high_security" incidentserialno=238026758 msg="applications: Port.Scanning"
    Previous
    Next

    Configuring a policy with an IPS sensor

    Configuring a policy with an IPS sensor

    In this example, all traffic passing through the container is scanned using an IPS sensor.

    Examples

    CLI example

    The following process details the configuration of a policy with an IPS sensor in the CLI.

    To configure a policy with IPS in the CLI:

    1. Configure the firewall policy:

      config firewall policy
    edit 1
        set status enable
        set utm-status enable
        set name "IPS policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set ssl-ssh-profile "deep-inspection"
        set ips-sensor "high_security"
        set action accept
        set logtraffic all
    next
end

    2. Verify that the policy is scanning the traffic:

      1. In a connected device, run the following command, substituting ip_address with the IP address of one of the container ports:

        nmap <ip_address>

      2. In the container CLI, view the utm-ips log:

        execute log filter category utm-ips
        execute log display

        The log includes entries similar to the following:

        date=2024-04-01 time=16:00:01 eventtime=1711987201 tz="+0000" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" severity="low" srcip=192.168.154.200 dstip=192.168.154.50 srcintf="eth1" dstintf="intf-0" sessionid=4846 action="detected" proto=6 service="TCP" policyid=1 attack="Port.Scanning" srcport=41474 dstport=17 direction="outgoing" attackid=43814 profile="high_security" incidentserialno=238026758 msg="applications: Port.Scanning"

    REST API example

    The following process details the configuration of a policy with an IPS sensor with the REST API.

    The REST API in this example is configured to listen on eth1 address 192.168.1.1.

    To configure a policy with IPS with the REST API:

    1. Configure the firewall policy:

      curl -H "Content-Type: application/json" -X POST -d '{ "data":{
    "policyid": "1", 
    "name": "IPS policy",  
    "status": "enable", 
    "srcintf": [{"name": "any"}], 
    "dstintf": [{"name": "any"}], 
    "srcaddr": [{"name": "all"}], 
    "dstaddr": [{ "name": "all" }], 
    "service": [{"name":"ALL"}], 
    "utm-status": "enable",
    "ssl-ssh-profile": "deep-inspection",
    "ips-sensor": "high_security",
    "action": "accept", 
    "logtraffic": "all"
}}' http://192.168.1.1/api/v2/cmdb/firewall/policy

    2. Verify that the policy is scanning the traffic:

      1. In a connected device, run the following command, substituting ip_address with the IP address of one of the container ports:

        nmap <ip_address>

      2. In the container CLI, view the utm-ips log:

        execute log filter category utm-ips
        execute log display

        The log includes entries similar to the following:

        date=2024-04-01 time=16:00:01 eventtime=1711987201 tz="+0000" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" severity="low" srcip=192.168.154.200 dstip=192.168.154.50 srcintf="eth1" dstintf="intf-0" sessionid=4846 action="detected" proto=6 service="TCP" policyid=1 attack="Port.Scanning" srcport=41474 dstport=17 direction="outgoing" attackid=43814 profile="high_security" incidentserialno=238026758 msg="applications: Port.Scanning"
    Previous
    Next