Fortinet black logo

CLI Reference

ips custom

ips custom

Use this command to configure custom IPS sensors which use signatures in order to detect attacks.

The FortiGate's predefined signatures cover common attacks. These signatures can be listed with the config ips rule ? command. Details about the default settings of each signature can be displayed with the get command.

If an unusual application or platform is being used, add custom signatures based on the security alerts released by the application and platform vendors. Custom signatures can be used to block or allow specific traffic and provide the power and flexibility to customize FortiGate Intrusion Protection for diverse network environments.

You can only edit custom IPS signatures. A single custom signature can be used in multiple sensors with different settings in each.

note icon Custom signatures are an advanced feature. This document assumes the user has previous experience writing intrusion detection signatures.
config ips custom
    edit {tag}
    # Configure IPS custom signature.
        set tag {string}   Signature tag. size[63]
        set signature {string}   Custom signature enclosed in single quotes. size[1023]
        set sig-name {string}   Signature name. size[63]
        set rule-id {integer}   Signature ID. range[0-4294967295]
        set severity {string}   Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.
        set location {string}   Protect client or server traffic.
        set os {string}   Operating system(s) that the signature protects. Blank for all operating systems.
        set application {string}   Applications to be protected. Blank for all applications.
        set protocol {string}   Protocol(s) that the signature scans. Blank for all protocols.
        set status {disable | enable}   Enable/disable this signature.
        set log {disable | enable}   Enable/disable logging.
        set log-packet {disable | enable}   Enable/disable packet logging.
        set action {pass | block}   Default action (pass or block) for this signature.
                pass   Pass or allow matching traffic.
                block  Block or drop matching traffic.
        set comment {string}   Comment. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

action {block | pass}

Block or pass (set by default) this signature.

application [<app1> <app2> ... ]

Application(s) that the signature scans. Enter set application ? to see all available applications. Separate each entry with a space for multiple protocols. Blank (set by default) for all applications.

location {client | server}

Specify the type of system to be protected.

log {enable | disable}

Enable (by default) or disable logging for IPS.

log-packet {enable | disable}

Enable or disable (by default) packet logging for this signature.

os {all | other | windows | linux | bsd | solaris | macos}

Operating system(s) that the signature protects. Blank (set by default) for all operating systems. Enter other to include all unlisted operating systems.

protocol [<pro1> <pro2> ... ]

Protocol(s) that the signature scans. Enter set protocol ? to see all available protocols. Separate each entry with a space for multiple protocols. Blank (set by default) for all protocols.

severity {all | info | low | medium | high | critical}

Relative importance of signature, from info to critical. Log messages generated by the signature include the severity.

signature <signature>

The custom signature enclosed in single quotes. For more information, see Custom IPS and Application Control Signature Guide.

status {enable | disable}

Enable (by default) or disable the status of the signature when it is included in an IPS Sensor.

ips custom

Use this command to configure custom IPS sensors which use signatures in order to detect attacks.

The FortiGate's predefined signatures cover common attacks. These signatures can be listed with the config ips rule ? command. Details about the default settings of each signature can be displayed with the get command.

If an unusual application or platform is being used, add custom signatures based on the security alerts released by the application and platform vendors. Custom signatures can be used to block or allow specific traffic and provide the power and flexibility to customize FortiGate Intrusion Protection for diverse network environments.

You can only edit custom IPS signatures. A single custom signature can be used in multiple sensors with different settings in each.

note icon Custom signatures are an advanced feature. This document assumes the user has previous experience writing intrusion detection signatures.
config ips custom
    edit {tag}
    # Configure IPS custom signature.
        set tag {string}   Signature tag. size[63]
        set signature {string}   Custom signature enclosed in single quotes. size[1023]
        set sig-name {string}   Signature name. size[63]
        set rule-id {integer}   Signature ID. range[0-4294967295]
        set severity {string}   Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.
        set location {string}   Protect client or server traffic.
        set os {string}   Operating system(s) that the signature protects. Blank for all operating systems.
        set application {string}   Applications to be protected. Blank for all applications.
        set protocol {string}   Protocol(s) that the signature scans. Blank for all protocols.
        set status {disable | enable}   Enable/disable this signature.
        set log {disable | enable}   Enable/disable logging.
        set log-packet {disable | enable}   Enable/disable packet logging.
        set action {pass | block}   Default action (pass or block) for this signature.
                pass   Pass or allow matching traffic.
                block  Block or drop matching traffic.
        set comment {string}   Comment. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

action {block | pass}

Block or pass (set by default) this signature.

application [<app1> <app2> ... ]

Application(s) that the signature scans. Enter set application ? to see all available applications. Separate each entry with a space for multiple protocols. Blank (set by default) for all applications.

location {client | server}

Specify the type of system to be protected.

log {enable | disable}

Enable (by default) or disable logging for IPS.

log-packet {enable | disable}

Enable or disable (by default) packet logging for this signature.

os {all | other | windows | linux | bsd | solaris | macos}

Operating system(s) that the signature protects. Blank (set by default) for all operating systems. Enter other to include all unlisted operating systems.

protocol [<pro1> <pro2> ... ]

Protocol(s) that the signature scans. Enter set protocol ? to see all available protocols. Separate each entry with a space for multiple protocols. Blank (set by default) for all protocols.

severity {all | info | low | medium | high | critical}

Relative importance of signature, from info to critical. Log messages generated by the signature include the severity.

signature <signature>

The custom signature enclosed in single quotes. For more information, see Custom IPS and Application Control Signature Guide.

status {enable | disable}

Enable (by default) or disable the status of the signature when it is included in an IPS Sensor.