IP Sets
IP Sets enable you to define a set(s) of IPs to include or exclude for some security events. This feature is used when defining exceptions.
Note – IP Sets can only be defined if all Collectors are V3.0.0.0 and up. If you attempt to define an exception and all Collectors are not V3.0.0.0 or above, the following error message displays:
Each row in the IP Sets window represents an IP inclusion/exclusion definition. The Internal Destinations row is provided by default (as indicated by the adjacent FortiEDR logo), which defines the default IPs that are included in and excluded from the FortiEDR system. All organizations in a multi-organization system are provided with this default IP set. In a single-organization system, the main organization is provided with it. The Internal Destinations IP set cannot be deleted. However, an Administrator can add Included IPs or Excluded IPs to it.
The IP Sets window lists all the IP sets created by the Administrator. A Local Administrator can edit an IP set that was specifically created for his/her organization. A Local Administrator cannot edit an IP set that applies to all organizations.
Click the logo in the Internal Destinations row to view its definition, as shown below:
To define an IP set:
- Click the button. The following window displays:
- In the Set Name field, enter a name for the IP set.
- In the Organization dropdown list, select the organization to which the IP set applies or select All organizations for the IP set to apply to all organizations in the FortiEDR system.
- In the Description field, enter a description for the IP set.
- In the Included IPs area, click the button to add an IP, IP range or IP mask to be included in the IP set’s definition. Each click of the button adds a new line to the list. Each entry appears in its own line. For example, you could add 192.168.23.2, 192.168.23.1-192.168.232 or 192.168.0.0/16.
Similarly, in the Excluded IPs area, click the button to add an IP, IP range or IP mask that is to be excluded.
- Click the Save button.
The Search IP field at the top-right of the page enables you to search for a specific IP in all of the IP sets defined. The search option identifies matching IPs, even if they are part of a range in an IP set’s definition.
To use an IP set:
Select an IP set in the Destinations area when defining an exception, as described in Defining a Security Event as an Exception.