Fortinet black logo

Administration Guide

Home FortiEDR/XDR 6.2.0 Administration Guide
6.2.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

IP sets

IP sets

IP Sets enable you to define a set(s) of IPs to include or exclude for some security events. This feature is used when defining exceptions.

Note

This page is only available to users with Admin, IT, or Senior Analyst permissions.

Note

IP Sets can only be defined if all Collectors are V3.0.0.0 and up. If you attempt to define an exception and all Collectors are not V3.0.0.0 or above, the following error message displays:

Each row in the IP Sets window represents an IP inclusion/exclusion definition. The Internal Destinations row is provided by default (as indicated by the adjacent FortiEDR logo), which defines the default IPs that are included in and excluded from the FortiEDR system. All organizations in a multi-organization system are provided with this default IP set. In a single-organization system, the main organization is provided with it. The Internal Destinations IP set cannot be deleted. However, an Administrator can add Included IPs or Excluded IPs to it.

The IP Sets page lists all the IP sets. Users can only edit an IP set that was specifically created for his/her organization. For example, if the administrator is assigned to only organization A, he/she can edit an IP set create for organization A but not an IP set that applies to all organizations.

Click the logo in the Internal Destinations row to view its definition, as shown below:

To define an IP set:
  1. Click the Define new IP set button () button. The following window displays:

  2. In the Set Name field, enter a name for the IP set.
  3. In the Organization dropdown list, select the organization to which the IP set applies or select All organizations for the IP set to apply to all organizations in the FortiEDR system.
  4. In the Description field, enter a description for the IP set.
  5. In the Included IPs area, click the Add button () to add an IP, IP range, or IP mask to be included in the IP set’s definition. Each click of the Add button () adds a new line to the list. Each entry appears in its own line. For example, you could add 192.168.23.2, 192.168.23.1-192.168.232 or 192.168.0.0/16.

    Similarly, in the Excluded IPs area, click the Add button () to add an IP, IP range, or IP mask that is to be excluded.

  6. Click the Save button.

The Search IP field at the top-right of the page enables you to search for a specific IP in all of the IP sets defined. The search option identifies matching IPs, even if they are part of a range in an IP set’s definition.

To use an IP set:

Select an IP set in the Destinations area when defining an exception, as described in Defining a security event as an exception.

Previous
Next

IP sets

IP Sets enable you to define a set(s) of IPs to include or exclude for some security events. This feature is used when defining exceptions.

Note

This page is only available to users with Admin, IT, or Senior Analyst permissions.

Note

IP Sets can only be defined if all Collectors are V3.0.0.0 and up. If you attempt to define an exception and all Collectors are not V3.0.0.0 or above, the following error message displays:

Each row in the IP Sets window represents an IP inclusion/exclusion definition. The Internal Destinations row is provided by default (as indicated by the adjacent FortiEDR logo), which defines the default IPs that are included in and excluded from the FortiEDR system. All organizations in a multi-organization system are provided with this default IP set. In a single-organization system, the main organization is provided with it. The Internal Destinations IP set cannot be deleted. However, an Administrator can add Included IPs or Excluded IPs to it.

The IP Sets page lists all the IP sets. Users can only edit an IP set that was specifically created for his/her organization. For example, if the administrator is assigned to only organization A, he/she can edit an IP set create for organization A but not an IP set that applies to all organizations.

Click the logo in the Internal Destinations row to view its definition, as shown below:

To define an IP set:
  1. Click the Define new IP set button () button. The following window displays:

  2. In the Set Name field, enter a name for the IP set.
  3. In the Organization dropdown list, select the organization to which the IP set applies or select All organizations for the IP set to apply to all organizations in the FortiEDR system.
  4. In the Description field, enter a description for the IP set.
  5. In the Included IPs area, click the Add button () to add an IP, IP range, or IP mask to be included in the IP set’s definition. Each click of the Add button () adds a new line to the list. Each entry appears in its own line. For example, you could add 192.168.23.2, 192.168.23.1-192.168.232 or 192.168.0.0/16.

    Similarly, in the Excluded IPs area, click the Add button () to add an IP, IP range, or IP mask that is to be excluded.

  6. Click the Save button.

The Search IP field at the top-right of the page enables you to search for a specific IP in all of the IP sets defined. The search option identifies matching IPs, even if they are part of a range in an IP set’s definition.

To use an IP set:

Select an IP set in the Destinations area when defining an exception, as described in Defining a security event as an exception.

Previous
Next