Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure IPS global parameter.

  config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set skype-client-public-ipaddr {var-string}
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
  end

config ips global

Parameter Name Description Type Size
fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
enable: Enable IPS fail open.
disable: Disable IPS fail open.
option -
database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
regular: IPS regular database package.
extended: IPS extended database package.
option -
traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
enable: Enable traffic submit.
disable: Disable traffic submit.
option -
anomaly-mode Global blocking mode for rate-based anomalies.
periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
option -
session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
accurate: Accurately count concurrent sessions, demands more resources.
heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
option -
intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
enable: Enable intelligent scan mode.
disable: Disable intelligent scan mode.
option -
socket-size IPS socket buffer size (0 - 256 MB). Default depends on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 128
engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
enable: Enable use of kernel session TTL for IPS sessions.
disable: Disable use of kernel session TTL for IPS sessions.
option -
skype-client-public-ipaddr Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. var-string Maximum length: 255
deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
exclude-signatures Excluded signatures.
none: No signatures excluded.
industrial: Exclude industrial signatures.
option -

Configure IPS global parameter.

  config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set skype-client-public-ipaddr {var-string}
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
  end

config ips global

Parameter Name Description Type Size
fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
enable: Enable IPS fail open.
disable: Disable IPS fail open.
option -
database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
regular: IPS regular database package.
extended: IPS extended database package.
option -
traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
enable: Enable traffic submit.
disable: Disable traffic submit.
option -
anomaly-mode Global blocking mode for rate-based anomalies.
periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
option -
session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
accurate: Accurately count concurrent sessions, demands more resources.
heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
option -
intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
enable: Enable intelligent scan mode.
disable: Disable intelligent scan mode.
option -
socket-size IPS socket buffer size (0 - 256 MB). Default depends on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 128
engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
enable: Enable use of kernel session TTL for IPS sessions.
disable: Disable use of kernel session TTL for IPS sessions.
option -
skype-client-public-ipaddr Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. var-string Maximum length: 255
deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
exclude-signatures Excluded signatures.
none: No signatures excluded.
industrial: Exclude industrial signatures.
option -