Fortinet black logo

CLI Reference

ips sensor

ips sensor

The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override rules. Each filter specifies a number of signature attributes and all signatures matching all the specified attributes are included in the filter.

Command Description

set extended log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config ips sensor
    edit {name}
    # Configure IPS sensor.
        set name {string}   Sensor name. size[35]
        set comment {string}   Comment. size[255]
        set replacemsg-group {string}   Replacement message group. size[35] - datasource(s): system.replacemsg-group.name
        set block-malicious-url {disable | enable}   Enable/disable malicious URL blocking.
        set extended-log {enable | disable}   Enable/disable extended logging.
        config entries
            edit {id}
            # IPS sensor filter.
                set id {integer}   Rule ID in IPS database (0 - 4294967295). range[0-4294967295]
                config rule
                    edit {id}
                    # Identifies the predefined or custom IPS signatures to add to the sensor.
                        set id {integer}   Rule IPS. range[0-4294967295]
                    next
                set location {string}   Protect client or server traffic.
                set severity {string}   Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.
                set protocol {string}   Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols.
                set os {string}   Operating systems to be protected.  all includes all operating systems. other includes all unlisted operating systems.
                set application {string}   Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications.
                set status {disable | enable | default}   Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
                set log {disable | enable}   Enable/disable logging of signatures included in filter.
                set log-packet {disable | enable}   Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
                set log-attack-context {disable | enable}   Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
                set action {pass | block | reset | default}   Action taken with traffic in which signatures are detected.
                        pass     Pass or allow matching traffic.
                        block    Block or drop matching traffic.
                        reset    Reset sessions for matching traffic.
                        default  Pass or drop matching traffic, depending on the default action of the signature.
                set rate-count {integer}   Count of the rate. range[0-65535]
                set rate-duration {integer}   Duration (sec) of the rate. range[1-65535]
                set rate-mode {periodical | continuous}   Rate limit mode.
                        periodical  Allow configured number of packets every rate-duration.
                        continuous  Block packets once the rate is reached.
                set rate-track {option}   Track the packet protocol field.
                        none             none
                        src-ip           Source IP.
                        dest-ip          Destination IP.
                        dhcp-client-mac  DHCP client.
                        dns-domain       DNS domain.
                config exempt-ip
                    edit {id}
                    # Traffic from selected source or destination IP addresses is exempt from this signature.
                        set id {integer}   Exempt IP ID. range[0-4294967295]
                        set src-ip {ipv4 classnet}   Source IP address and netmask.
                        set dst-ip {ipv4 classnet}   Destination IP address and netmask.
                    next
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
            next
        config filter
            edit {name}
            # IPS sensor filter.
                set name {string}   Filter name. size[31]
                set location {string}   Vulnerability location filter.
                set severity {string}   Vulnerability severity filter.
                set protocol {string}   Vulnerable protocol filter.
                set os {string}   Vulnerable OS filter.
                set application {string}   Vulnerable application filter.
                set status {disable | enable | default}   Selected rules status.
                set log {disable | enable}   Enable/disable logging of selected rules.
                set log-packet {disable | enable}   Enable/disable packet logging of selected rules.
                set action {pass | block | reset | default}   Action of selected rules.
                        pass     Pass or allow matching traffic.
                        block    Block or drop matching traffic.
                        reset    Reset sessions for matching traffic.
                        default  Pass or drop matching traffic, depending on the default action of the signature.
                set quarantine {none | attacker}   Quarantine IP or interface.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {integer}   Duration of quarantine in minute. range[1-2147483647]
                set quarantine-log {disable | enable}   Enable/disable logging of selected quarantine.
            next
        config override
            edit {rule-id}
            # IPS override rule.
                set rule-id {integer}   Override rule ID. range[0-4294967295]
                set status {disable | enable}   Enable/disable status of override rule.
                set log {disable | enable}   Enable/disable logging.
                set log-packet {disable | enable}   Enable/disable packet logging.
                set action {pass | block | reset}   Action of override rule.
                        pass   Pass or allow matching traffic.
                        block  Block or drop matching traffic.
                        reset  Reset sessions for matching traffic.
                set quarantine {none | attacker}   Quarantine IP or interface.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {integer}   Duration of quarantine in minute. range[1-2147483647]
                set quarantine-log {disable | enable}   Enable/disable logging of selected quarantine.
                config exempt-ip
                    edit {id}
                    # Exempted IP.
                        set id {integer}   Exempt IP ID. range[0-4294967295]
                        set src-ip {ipv4 classnet}   Source IP address and netmask.
                        set dst-ip {ipv4 classnet}   Destination IP address and netmask.
                    next
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

block-malicious-url {enable | disable}

Enable or disable (by default) blocking of malicious URLs.

replacemsg-group <replacemsg_str>

Specify the replacement message group.

config entries

rule <rule1_int> [<rule2_int> <rule3_int> ...]

Use rule ID to identify the predefined or custom IPS signatures to add to sensor.

location {all | client | server}

Specify the type of system to be protected. Default is all.

severity {all | info | low | medium | high | critical}

Relative importance of signature, from info to critical. Default is all.

protocol <prot1_str> [<prot2_str> <prot3_str> . . .]

Specify protocols to be examined.

  • ? lists available protocols.
  • all includes all protocols.
  • other includes all unlisted protocols

os {all | other | windows | linux | bsd | solaris | macos}

Specify operating systems to be protected. Default is all.

  • all includes all operating systems.
  • other includes all unlisted operating systems

application <app1_str> [<app2_str> <app3_str>. . .]

Specify applications to be protected.

  • ? lists available applications.
  • all includes all applications.
  • other includes all unlisted applications.

tags <tag_str>

Assign a custom tag filter to the IPS sensor. Tag must first be configured by using config system object-tagging. To see what tags are available for use, use the command set tags ?. Separate multiple values with a space.

status {default | enable | disable}

Specify status of the signatures included in filter. Default is default.

  • default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.

log {default | enable | disable}

Specify the logging status of the signatures included in the filter. Default is default.

  • default enable logging for only the filters with a default logging status of enable. Filters with a default logging status of disable will not be logged.

log-packet {enable | disable}

Enable/disable packet logging. enable saves the packet that triggers the filter. Default is disable.

You can download the packets in pcap format for diagnostic use.

log-attack-context {default | enable | disable}

Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer. Default is disable.

action {block | default | pass | reject}

Specify what action is taken with traffic in which signatures are detected. Default is default.

  • block will drop the session with offending traffic.
  • pass allow the traffic.
  • reject reset the session.
  • default either pass or drop matching traffic, depending on the default action of each signature.

quarantine {attacker | none}

Specify how the FortiGate will quarantine attackers. Default is none.

  • attacker blocks all traffic sent from attacker’s IP address. The attacker’s IP address is also added to the banned user list. The target’s address is not affected.
  • none disables the adding of addresses to the quarantine.

config exempt-ip

This subcommand is available after rule has been set.

edit <exempt-ip_id>

Enter the ID number of an exempt-ip entry. For a list of the exempt-ip entries in the IPS sensor, enter ? instead of an ID. Enter a new ID to create a new exempt-ip.

dst-ip <ip4mask>

Enter destination IP address and netmask to exempt.

src-ip <ip4mask>

Enter source IP address and netmask to exempt.

ips sensor

The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override rules. Each filter specifies a number of signature attributes and all signatures matching all the specified attributes are included in the filter.

Command Description

set extended log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config ips sensor
    edit {name}
    # Configure IPS sensor.
        set name {string}   Sensor name. size[35]
        set comment {string}   Comment. size[255]
        set replacemsg-group {string}   Replacement message group. size[35] - datasource(s): system.replacemsg-group.name
        set block-malicious-url {disable | enable}   Enable/disable malicious URL blocking.
        set extended-log {enable | disable}   Enable/disable extended logging.
        config entries
            edit {id}
            # IPS sensor filter.
                set id {integer}   Rule ID in IPS database (0 - 4294967295). range[0-4294967295]
                config rule
                    edit {id}
                    # Identifies the predefined or custom IPS signatures to add to the sensor.
                        set id {integer}   Rule IPS. range[0-4294967295]
                    next
                set location {string}   Protect client or server traffic.
                set severity {string}   Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.
                set protocol {string}   Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols.
                set os {string}   Operating systems to be protected.  all includes all operating systems. other includes all unlisted operating systems.
                set application {string}   Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications.
                set status {disable | enable | default}   Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
                set log {disable | enable}   Enable/disable logging of signatures included in filter.
                set log-packet {disable | enable}   Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
                set log-attack-context {disable | enable}   Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
                set action {pass | block | reset | default}   Action taken with traffic in which signatures are detected.
                        pass     Pass or allow matching traffic.
                        block    Block or drop matching traffic.
                        reset    Reset sessions for matching traffic.
                        default  Pass or drop matching traffic, depending on the default action of the signature.
                set rate-count {integer}   Count of the rate. range[0-65535]
                set rate-duration {integer}   Duration (sec) of the rate. range[1-65535]
                set rate-mode {periodical | continuous}   Rate limit mode.
                        periodical  Allow configured number of packets every rate-duration.
                        continuous  Block packets once the rate is reached.
                set rate-track {option}   Track the packet protocol field.
                        none             none
                        src-ip           Source IP.
                        dest-ip          Destination IP.
                        dhcp-client-mac  DHCP client.
                        dns-domain       DNS domain.
                config exempt-ip
                    edit {id}
                    # Traffic from selected source or destination IP addresses is exempt from this signature.
                        set id {integer}   Exempt IP ID. range[0-4294967295]
                        set src-ip {ipv4 classnet}   Source IP address and netmask.
                        set dst-ip {ipv4 classnet}   Destination IP address and netmask.
                    next
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
            next
        config filter
            edit {name}
            # IPS sensor filter.
                set name {string}   Filter name. size[31]
                set location {string}   Vulnerability location filter.
                set severity {string}   Vulnerability severity filter.
                set protocol {string}   Vulnerable protocol filter.
                set os {string}   Vulnerable OS filter.
                set application {string}   Vulnerable application filter.
                set status {disable | enable | default}   Selected rules status.
                set log {disable | enable}   Enable/disable logging of selected rules.
                set log-packet {disable | enable}   Enable/disable packet logging of selected rules.
                set action {pass | block | reset | default}   Action of selected rules.
                        pass     Pass or allow matching traffic.
                        block    Block or drop matching traffic.
                        reset    Reset sessions for matching traffic.
                        default  Pass or drop matching traffic, depending on the default action of the signature.
                set quarantine {none | attacker}   Quarantine IP or interface.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {integer}   Duration of quarantine in minute. range[1-2147483647]
                set quarantine-log {disable | enable}   Enable/disable logging of selected quarantine.
            next
        config override
            edit {rule-id}
            # IPS override rule.
                set rule-id {integer}   Override rule ID. range[0-4294967295]
                set status {disable | enable}   Enable/disable status of override rule.
                set log {disable | enable}   Enable/disable logging.
                set log-packet {disable | enable}   Enable/disable packet logging.
                set action {pass | block | reset}   Action of override rule.
                        pass   Pass or allow matching traffic.
                        block  Block or drop matching traffic.
                        reset  Reset sessions for matching traffic.
                set quarantine {none | attacker}   Quarantine IP or interface.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {integer}   Duration of quarantine in minute. range[1-2147483647]
                set quarantine-log {disable | enable}   Enable/disable logging of selected quarantine.
                config exempt-ip
                    edit {id}
                    # Exempted IP.
                        set id {integer}   Exempt IP ID. range[0-4294967295]
                        set src-ip {ipv4 classnet}   Source IP address and netmask.
                        set dst-ip {ipv4 classnet}   Destination IP address and netmask.
                    next
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

block-malicious-url {enable | disable}

Enable or disable (by default) blocking of malicious URLs.

replacemsg-group <replacemsg_str>

Specify the replacement message group.

config entries

rule <rule1_int> [<rule2_int> <rule3_int> ...]

Use rule ID to identify the predefined or custom IPS signatures to add to sensor.

location {all | client | server}

Specify the type of system to be protected. Default is all.

severity {all | info | low | medium | high | critical}

Relative importance of signature, from info to critical. Default is all.

protocol <prot1_str> [<prot2_str> <prot3_str> . . .]

Specify protocols to be examined.

  • ? lists available protocols.
  • all includes all protocols.
  • other includes all unlisted protocols

os {all | other | windows | linux | bsd | solaris | macos}

Specify operating systems to be protected. Default is all.

  • all includes all operating systems.
  • other includes all unlisted operating systems

application <app1_str> [<app2_str> <app3_str>. . .]

Specify applications to be protected.

  • ? lists available applications.
  • all includes all applications.
  • other includes all unlisted applications.

tags <tag_str>

Assign a custom tag filter to the IPS sensor. Tag must first be configured by using config system object-tagging. To see what tags are available for use, use the command set tags ?. Separate multiple values with a space.

status {default | enable | disable}

Specify status of the signatures included in filter. Default is default.

  • default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.

log {default | enable | disable}

Specify the logging status of the signatures included in the filter. Default is default.

  • default enable logging for only the filters with a default logging status of enable. Filters with a default logging status of disable will not be logged.

log-packet {enable | disable}

Enable/disable packet logging. enable saves the packet that triggers the filter. Default is disable.

You can download the packets in pcap format for diagnostic use.

log-attack-context {default | enable | disable}

Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer. Default is disable.

action {block | default | pass | reject}

Specify what action is taken with traffic in which signatures are detected. Default is default.

  • block will drop the session with offending traffic.
  • pass allow the traffic.
  • reject reset the session.
  • default either pass or drop matching traffic, depending on the default action of each signature.

quarantine {attacker | none}

Specify how the FortiGate will quarantine attackers. Default is none.

  • attacker blocks all traffic sent from attacker’s IP address. The attacker’s IP address is also added to the banned user list. The target’s address is not affected.
  • none disables the adding of addresses to the quarantine.

config exempt-ip

This subcommand is available after rule has been set.

edit <exempt-ip_id>

Enter the ID number of an exempt-ip entry. For a list of the exempt-ip entries in the IPS sensor, enter ? instead of an ID. Enter a new ID to create a new exempt-ip.

dst-ip <ip4mask>

Enter destination IP address and netmask to exempt.

src-ip <ip4mask>

Enter source IP address and netmask to exempt.