Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.2.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    ips sensor

    Configure IPS sensor.

      config ips sensor
      Description: Configure IPS sensor.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set block-malicious-url [disable|enable]
          set scan-botnet-connections [disable|block|...]
          set extended-log [enable|disable]
          config entries
              Description: IPS sensor filter.
              edit <id>
                  set rule <id1>, <id2>, ...
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set log-attack-context [disable|enable]
                  set action [pass|block|...]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  config exempt-ip
                      Description: Traffic from selected source or destination IP addresses is exempt from this signature.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          config filter
              Description: IPS sensor filter.
              edit <name>
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
              next
          end
          config override
              Description: IPS override rule.
              edit <rule-id>
                  set status [disable|enable]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
                  config exempt-ip
                      Description: Exempted IP.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
              next
          end
      next
  end

    config ips sensor

    Parameter Name Description Type Size
    comment Comment. var-string Maximum length: 255
    replacemsg-group Replacement message group. string Maximum length: 35
    block-malicious-url Enable/disable malicious URL blocking.
    disable: Disable malicious URL blocking.
    enable: Enable malicious URL blocking.
    		 option -
    scan-botnet-connections Block or monitor connections to Botnet servers, or disable Botnet scanning.
    disable: Do not scan connections to botnet servers.
    block: Block connections to botnet servers.
    monitor: Log connections to botnet servers.
    		 option -
    extended-log Enable/disable extended logging.
    enable: Enable setting.
    disable: Disable setting.
    		 option -

    config entries

    Parameter Name Description Type Size
    rule <id> Identifies the predefined or custom IPS signatures to add to the sensor.
    Rule IPS.    		 integer Minimum value: 0 Maximum value: 4294967295
    location Protect client or server traffic. user Not Specified
    severity Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. user Not Specified
    protocol Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols. user Not Specified
    os Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems. user Not Specified
    application Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications. user Not Specified
    status Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
    disable: Disable status of selected rules.
    enable: Enable status of selected rules.
    default: Default.
    		 option -
    log Enable/disable logging of signatures included in filter.
    disable: Disable logging of selected rules.
    enable: Enable logging of selected rules.
    		 option -
    log-packet Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
    disable: Disable packet logging of selected rules.
    enable: Enable packet logging of selected rules.
    		 option -
    log-attack-context Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
    disable: Disable logging of detailed attack context.
    enable: Enable logging of detailed attack context.
    		 option -
    action Action taken with traffic in which signatures are detected.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    default: Pass or drop matching traffic, depending on the default action of the signature.
    		 option -
    rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
    rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
    rate-mode Rate limit mode.
    periodical: Allow configured number of packets every rate-duration.
    continuous: Block packets once the rate is reached.
    		 option -
    rate-track Track the packet protocol field.
    none: none
    src-ip: Source IP.
    dest-ip: Destination IP.
    dhcp-client-mac: DHCP client.
    dns-domain: DNS domain.
    		 option -
    quarantine Quarantine method.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
    quarantine-log Enable/disable quarantine logging.
    disable: Disable quarantine logging.
    enable: Enable quarantine logging.
    		 option -

    config exempt-ip

    Parameter Name Description Type Size
    src-ip Source IP address and netmask. ipv4-classnet Not Specified
    dst-ip Destination IP address and netmask. ipv4-classnet Not Specified

    config filter

    Parameter Name Description Type Size
    location Vulnerability location filter. user Not Specified
    severity Vulnerability severity filter. user Not Specified
    protocol Vulnerable protocol filter. user Not Specified
    os Vulnerable OS filter. user Not Specified
    application Vulnerable application filter. user Not Specified
    status Selected rules status.
    disable: Disable status of selected rules.
    enable: Enable status of selected rules.
    default: Default.
    		 option -
    log Enable/disable logging of selected rules.
    disable: Disable logging of selected rules.
    enable: Enable logging of selected rules.
    		 option -
    log-packet Enable/disable packet logging of selected rules.
    disable: Disable packet logging of selected rules.
    enable: Enable packet logging of selected rules.
    		 option -
    action Action of selected rules.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    default: Pass or drop matching traffic, depending on the default action of the signature.
    		 option -
    quarantine Quarantine IP or interface.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
    quarantine-log Enable/disable logging of selected quarantine.
    disable: Disable logging of selected quarantine.
    enable: Enable logging of selected quarantine.
    		 option -

    config override

    Parameter Name Description Type Size
    status Enable/disable status of override rule.
    disable: Disable status of override rule.
    enable: Enable status of override rule.
    		 option -
    log Enable/disable logging.
    disable: Disable logging.
    enable: Enable logging.
    		 option -
    log-packet Enable/disable packet logging.
    disable: Disable packet logging.
    enable: Enable packet logging.
    		 option -
    action Action of override rule.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    		 option -
    quarantine Quarantine IP or interface.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
    quarantine-log Enable/disable logging of selected quarantine.
    disable: Disable logging of selected quarantine.
    enable: Enable logging of selected quarantine.
    		 option -

    config exempt-ip

    Parameter Name Description Type Size
    src-ip Source IP address and netmask. ipv4-classnet Not Specified
    dst-ip Destination IP address and netmask. ipv4-classnet Not Specified
    Previous
    Next

    ips sensor

    Configure IPS sensor.

      config ips sensor
      Description: Configure IPS sensor.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set block-malicious-url [disable|enable]
          set scan-botnet-connections [disable|block|...]
          set extended-log [enable|disable]
          config entries
              Description: IPS sensor filter.
              edit <id>
                  set rule <id1>, <id2>, ...
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set log-attack-context [disable|enable]
                  set action [pass|block|...]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  config exempt-ip
                      Description: Traffic from selected source or destination IP addresses is exempt from this signature.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          config filter
              Description: IPS sensor filter.
              edit <name>
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
              next
          end
          config override
              Description: IPS override rule.
              edit <rule-id>
                  set status [disable|enable]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
                  config exempt-ip
                      Description: Exempted IP.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
              next
          end
      next
  end

    config ips sensor

    Parameter Name Description Type Size
    comment Comment. var-string Maximum length: 255
    replacemsg-group Replacement message group. string Maximum length: 35
    block-malicious-url Enable/disable malicious URL blocking.
    disable: Disable malicious URL blocking.
    enable: Enable malicious URL blocking.
    		 option -
    scan-botnet-connections Block or monitor connections to Botnet servers, or disable Botnet scanning.
    disable: Do not scan connections to botnet servers.
    block: Block connections to botnet servers.
    monitor: Log connections to botnet servers.
    		 option -
    extended-log Enable/disable extended logging.
    enable: Enable setting.
    disable: Disable setting.
    		 option -

    config entries

    Parameter Name Description Type Size
    rule <id> Identifies the predefined or custom IPS signatures to add to the sensor.
    Rule IPS.    		 integer Minimum value: 0 Maximum value: 4294967295
    location Protect client or server traffic. user Not Specified
    severity Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. user Not Specified
    protocol Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols. user Not Specified
    os Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems. user Not Specified
    application Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications. user Not Specified
    status Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
    disable: Disable status of selected rules.
    enable: Enable status of selected rules.
    default: Default.
    		 option -
    log Enable/disable logging of signatures included in filter.
    disable: Disable logging of selected rules.
    enable: Enable logging of selected rules.
    		 option -
    log-packet Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
    disable: Disable packet logging of selected rules.
    enable: Enable packet logging of selected rules.
    		 option -
    log-attack-context Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
    disable: Disable logging of detailed attack context.
    enable: Enable logging of detailed attack context.
    		 option -
    action Action taken with traffic in which signatures are detected.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    default: Pass or drop matching traffic, depending on the default action of the signature.
    		 option -
    rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
    rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
    rate-mode Rate limit mode.
    periodical: Allow configured number of packets every rate-duration.
    continuous: Block packets once the rate is reached.
    		 option -
    rate-track Track the packet protocol field.
    none: none
    src-ip: Source IP.
    dest-ip: Destination IP.
    dhcp-client-mac: DHCP client.
    dns-domain: DNS domain.
    		 option -
    quarantine Quarantine method.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
    quarantine-log Enable/disable quarantine logging.
    disable: Disable quarantine logging.
    enable: Enable quarantine logging.
    		 option -

    config exempt-ip

    Parameter Name Description Type Size
    src-ip Source IP address and netmask. ipv4-classnet Not Specified
    dst-ip Destination IP address and netmask. ipv4-classnet Not Specified

    config filter

    Parameter Name Description Type Size
    location Vulnerability location filter. user Not Specified
    severity Vulnerability severity filter. user Not Specified
    protocol Vulnerable protocol filter. user Not Specified
    os Vulnerable OS filter. user Not Specified
    application Vulnerable application filter. user Not Specified
    status Selected rules status.
    disable: Disable status of selected rules.
    enable: Enable status of selected rules.
    default: Default.
    		 option -
    log Enable/disable logging of selected rules.
    disable: Disable logging of selected rules.
    enable: Enable logging of selected rules.
    		 option -
    log-packet Enable/disable packet logging of selected rules.
    disable: Disable packet logging of selected rules.
    enable: Enable packet logging of selected rules.
    		 option -
    action Action of selected rules.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    default: Pass or drop matching traffic, depending on the default action of the signature.
    		 option -
    quarantine Quarantine IP or interface.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
    quarantine-log Enable/disable logging of selected quarantine.
    disable: Disable logging of selected quarantine.
    enable: Enable logging of selected quarantine.
    		 option -

    config override

    Parameter Name Description Type Size
    status Enable/disable status of override rule.
    disable: Disable status of override rule.
    enable: Enable status of override rule.
    		 option -
    log Enable/disable logging.
    disable: Disable logging.
    enable: Enable logging.
    		 option -
    log-packet Enable/disable packet logging.
    disable: Disable packet logging.
    enable: Enable packet logging.
    		 option -
    action Action of override rule.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    		 option -
    quarantine Quarantine IP or interface.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
    quarantine-log Enable/disable logging of selected quarantine.
    disable: Disable logging of selected quarantine.
    enable: Enable logging of selected quarantine.
    		 option -

    config exempt-ip

    Parameter Name Description Type Size
    src-ip Source IP address and netmask. ipv4-classnet Not Specified
    dst-ip Destination IP address and netmask. ipv4-classnet Not Specified
    Previous
    Next