Fortinet black logo

CLI Reference

ips global

ips global

This command sets IPS global operating parameters.

config ips global
    set fail-open {enable | disable}   Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
    set database {regular | extended}   Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
            regular   IPS regular database package.
            extended  IPS extended database package.
    set traffic-submit {enable | disable}   Enable/disable submitting attack data found by this FortiGate to FortiGuard.
    set anomaly-mode {periodical | continuous}   Global blocking mode for rate-based anomalies.
            periodical  After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
            continuous  Block packets once an anomaly is detected. Overrides individual anomaly settings.
    set session-limit-mode {accurate | heuristic}   Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
            accurate   Accurately count concurrent sessions, demands more resources.
            heuristic  Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
    set intelligent-mode {enable | disable}   Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
    set socket-size {integer}   IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance.
    set engine-count {integer}   Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. range[0-255]
    set sync-session-ttl {enable | disable}   Enable/disable use of kernel session TTL for IPS sessions.
    set np-accel-mode {none | basic}   Acceleration mode for IPS processing by NPx processors.
            none   NPx acceleration disabled.
            basic  NPx acceleration enabled.
    set ips-reserve-cpu {disable | enable}   Enable/disable IPS daemon's use of CPUs other than CPU 0
    set cp-accel-mode {none | basic | advanced}   IPS Pattern matching acceleration/offloading to CPx processors.
            none      CPx acceleration/offloading disabled.
            basic     Offload basic pattern matching to CPx processors.
            advanced  Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
    set skype-client-public-ipaddr {string}   Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. size[255]
    set deep-app-insp-timeout {integer}   Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). range[0-2147483647]
    set deep-app-insp-db-limit {integer}   Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) range[0-2147483647]
    set exclude-signatures {none | industrial}   Excluded signatures.
            none        No signatures excluded.
            industrial  Exclude industrial signatures.
end

Additional information

The following section is for those options that require additional explanation.

anomaly-mode {continuous | periodical}

Specify blocking mode for rate-based anomaly:

  • continuous: After an anomaly is detected, allow the configured number of packets per second (set by default).
  • periodical: Block all packets once an anomaly is detected. Overrides individual anomaly settings.

cp-accel-mode {none | basic | advanced}

Note: This entry is only available on FortiGate models with Content Processors (CPs). In addition, the advanced option is only available on FortiGate models with two or more CP8s or one or more CP9s.

CP8 or CP9 acceleration/offloading of pattern matching:

  • none: CP8 or CP9 acceleration disabled.
  • basic: offload basic pattern matching to CP8 or CP9 processors.
  • advanced: (the default) offloads more types of pattern matching resulting in higher throughput than basic mode.

For more information see Hardware Acceleration.

database {regular | extended}

Identify which IPS database to use. The default is set to regular, which protects against the latest common and in-the-wild attacks. To include protection from legacy attacks, set to extended.

Note that the extended database may affect the performance of the FortiGate unit so depending on the model of the FortiGate unit the extended database package may not be enabled by default.

deep-app-insp-db-limit <limit>

Maximum number of application database entries. Set the value between 1-2147483647. Default is 100000.

deep-app-insp-timeout <seconds>

Period of time in seconds after which inactive application database entries are deleted. Set the value between 1-2147483647. The default is set to 86400 (or one day).

engine-count <limit>

Number of intrusion protection engines to run. Multi-processor FortiGate units can more efficiently process traffic with multiple engines running. When set to 0 (by default), the FortiGate unit determines the optimal number of intrusion protection engines.

exclude-signatures {none | industrial}

Hide industrial signatures, which are used by a specialized customer base. Excluded signatures don't appear on the GUI.

  • none: No signatures excluded
  • industrial: Exclude industrial signatures (set by default).

fail-open {enable | disable}

Enable or disable (by default) fail-open. When enabled, if IPS should cease to function, crucial network traffic will not be blocked and firewall will continue to operate while the problem is resolved. When disabled, if the IPS process fails, IPS traffic is blocked.

intelligent-mode {enable | disable}

Enable (by default) or disable IPS adaptive scanning (intelligent mode) so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. Intelligent mode optimizes the scanning method for the type of traffic.

np-accel-mode {none | basic}

Note: This entry is only available on FortiGate models with Network Processors (NPs).

Acceleration mode for IPS processing by NPx processors:

  • none: Disables NP acceleration.
  • basic: Enables NP acceleration.

session-limit-mode {accurate | heuristic}

Select the method that session limit anomalies use to estimate concurrent sessions. Use these options to choose between optimal performance and more accurate information.

  • accurate: Accurately counts the concurrent sessions. This option requires more resources than the default heuristics method.
  • heuristic: Uses heuristics to estimate concurrent sessions. Results may be less accurate but still acceptable in most cases (set by default).

skype-client-public-ipaddr <ip-addr-list>

Note: Separate IP addresses with commas, not spaces.

Public IP addresses of your network that receive Skype sessions. This helps the FortiGate unit identify Skype sessions properly in the Sessions dashboard widget and when attempting to detect/block them.

socket-size <mb>

Intrusion protection buffer size in MB. The default value varies by model, depending on available physical memory. FortiGate 100D models, for example, are set by default to 64.

sync-session-ttl {enable | disable}

Enable or disable (by default) use of kernel session TTL for IPS sessions.

traffic-submit {enable | disable}

Enable or disable (by default) submission of attack characteristics to FortiGuard Service.

ips global

This command sets IPS global operating parameters.

config ips global
    set fail-open {enable | disable}   Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
    set database {regular | extended}   Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
            regular   IPS regular database package.
            extended  IPS extended database package.
    set traffic-submit {enable | disable}   Enable/disable submitting attack data found by this FortiGate to FortiGuard.
    set anomaly-mode {periodical | continuous}   Global blocking mode for rate-based anomalies.
            periodical  After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
            continuous  Block packets once an anomaly is detected. Overrides individual anomaly settings.
    set session-limit-mode {accurate | heuristic}   Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
            accurate   Accurately count concurrent sessions, demands more resources.
            heuristic  Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
    set intelligent-mode {enable | disable}   Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
    set socket-size {integer}   IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance.
    set engine-count {integer}   Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. range[0-255]
    set sync-session-ttl {enable | disable}   Enable/disable use of kernel session TTL for IPS sessions.
    set np-accel-mode {none | basic}   Acceleration mode for IPS processing by NPx processors.
            none   NPx acceleration disabled.
            basic  NPx acceleration enabled.
    set ips-reserve-cpu {disable | enable}   Enable/disable IPS daemon's use of CPUs other than CPU 0
    set cp-accel-mode {none | basic | advanced}   IPS Pattern matching acceleration/offloading to CPx processors.
            none      CPx acceleration/offloading disabled.
            basic     Offload basic pattern matching to CPx processors.
            advanced  Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
    set skype-client-public-ipaddr {string}   Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. size[255]
    set deep-app-insp-timeout {integer}   Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). range[0-2147483647]
    set deep-app-insp-db-limit {integer}   Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) range[0-2147483647]
    set exclude-signatures {none | industrial}   Excluded signatures.
            none        No signatures excluded.
            industrial  Exclude industrial signatures.
end

Additional information

The following section is for those options that require additional explanation.

anomaly-mode {continuous | periodical}

Specify blocking mode for rate-based anomaly:

  • continuous: After an anomaly is detected, allow the configured number of packets per second (set by default).
  • periodical: Block all packets once an anomaly is detected. Overrides individual anomaly settings.

cp-accel-mode {none | basic | advanced}

Note: This entry is only available on FortiGate models with Content Processors (CPs). In addition, the advanced option is only available on FortiGate models with two or more CP8s or one or more CP9s.

CP8 or CP9 acceleration/offloading of pattern matching:

  • none: CP8 or CP9 acceleration disabled.
  • basic: offload basic pattern matching to CP8 or CP9 processors.
  • advanced: (the default) offloads more types of pattern matching resulting in higher throughput than basic mode.

For more information see Hardware Acceleration.

database {regular | extended}

Identify which IPS database to use. The default is set to regular, which protects against the latest common and in-the-wild attacks. To include protection from legacy attacks, set to extended.

Note that the extended database may affect the performance of the FortiGate unit so depending on the model of the FortiGate unit the extended database package may not be enabled by default.

deep-app-insp-db-limit <limit>

Maximum number of application database entries. Set the value between 1-2147483647. Default is 100000.

deep-app-insp-timeout <seconds>

Period of time in seconds after which inactive application database entries are deleted. Set the value between 1-2147483647. The default is set to 86400 (or one day).

engine-count <limit>

Number of intrusion protection engines to run. Multi-processor FortiGate units can more efficiently process traffic with multiple engines running. When set to 0 (by default), the FortiGate unit determines the optimal number of intrusion protection engines.

exclude-signatures {none | industrial}

Hide industrial signatures, which are used by a specialized customer base. Excluded signatures don't appear on the GUI.

  • none: No signatures excluded
  • industrial: Exclude industrial signatures (set by default).

fail-open {enable | disable}

Enable or disable (by default) fail-open. When enabled, if IPS should cease to function, crucial network traffic will not be blocked and firewall will continue to operate while the problem is resolved. When disabled, if the IPS process fails, IPS traffic is blocked.

intelligent-mode {enable | disable}

Enable (by default) or disable IPS adaptive scanning (intelligent mode) so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. Intelligent mode optimizes the scanning method for the type of traffic.

np-accel-mode {none | basic}

Note: This entry is only available on FortiGate models with Network Processors (NPs).

Acceleration mode for IPS processing by NPx processors:

  • none: Disables NP acceleration.
  • basic: Enables NP acceleration.

session-limit-mode {accurate | heuristic}

Select the method that session limit anomalies use to estimate concurrent sessions. Use these options to choose between optimal performance and more accurate information.

  • accurate: Accurately counts the concurrent sessions. This option requires more resources than the default heuristics method.
  • heuristic: Uses heuristics to estimate concurrent sessions. Results may be less accurate but still acceptable in most cases (set by default).

skype-client-public-ipaddr <ip-addr-list>

Note: Separate IP addresses with commas, not spaces.

Public IP addresses of your network that receive Skype sessions. This helps the FortiGate unit identify Skype sessions properly in the Sessions dashboard widget and when attempting to detect/block them.

socket-size <mb>

Intrusion protection buffer size in MB. The default value varies by model, depending on available physical memory. FortiGate 100D models, for example, are set by default to 64.

sync-session-ttl {enable | disable}

Enable or disable (by default) use of kernel session TTL for IPS sessions.

traffic-submit {enable | disable}

Enable or disable (by default) submission of attack characteristics to FortiGuard Service.