Fortinet black logo

CLI Reference

ips sensor

Configure IPS sensor.

  config ips sensor
      Description: Configure IPS sensor.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set block-malicious-url [disable|enable]
          set scan-botnet-connections [disable|block|...]
          set extended-log [enable|disable]
          config entries
              Description: IPS sensor filter.
              edit <id>
                  set rule <id1>, <id2>, ...
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set log-attack-context [disable|enable]
                  set action [pass|block|...]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  config exempt-ip
                      Description: Traffic from selected source or destination IP addresses is exempt from this signature.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          config filter
              Description: IPS sensor filter.
              edit <name>
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
              next
          end
          config override
              Description: IPS override rule.
              edit <rule-id>
                  set status [disable|enable]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
                  config exempt-ip
                      Description: Exempted IP.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
              next
          end
      next
  end

config ips sensor

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
replacemsg-group Replacement message group. string Maximum length: 35
block-malicious-url Enable/disable malicious URL blocking.
disable: Disable malicious URL blocking.
enable: Enable malicious URL blocking.
option -
scan-botnet-connections Block or monitor connections to Botnet servers, or disable Botnet scanning.
disable: Do not scan connections to botnet servers.
block: Block connections to botnet servers.
monitor: Log connections to botnet servers.
option -
extended-log Enable/disable extended logging.
enable: Enable setting.
disable: Disable setting.
option -

config entries

Parameter Name Description Type Size
rule <id> Identifies the predefined or custom IPS signatures to add to the sensor.
Rule IPS.
integer Minimum value: 0 Maximum value: 4294967295
location Protect client or server traffic. user Not Specified
severity Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. user Not Specified
protocol Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols. user Not Specified
os Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems. user Not Specified
application Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications. user Not Specified
status Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
disable: Disable status of selected rules.
enable: Enable status of selected rules.
default: Default.
option -
log Enable/disable logging of signatures included in filter.
disable: Disable logging of selected rules.
enable: Enable logging of selected rules.
option -
log-packet Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
disable: Disable packet logging of selected rules.
enable: Enable packet logging of selected rules.
option -
log-attack-context Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
disable: Disable logging of detailed attack context.
enable: Enable logging of detailed attack context.
option -
action Action taken with traffic in which signatures are detected.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
default: Pass or drop matching traffic, depending on the default action of the signature.
option -
rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
rate-mode Rate limit mode.
periodical: Allow configured number of packets every rate-duration.
continuous: Block packets once the rate is reached.
option -
rate-track Track the packet protocol field.
none: none
src-ip: Source IP.
dest-ip: Destination IP.
dhcp-client-mac: DHCP client.
dns-domain: DNS domain.
option -
quarantine Quarantine method.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
quarantine-log Enable/disable quarantine logging.
disable: Disable quarantine logging.
enable: Enable quarantine logging.
option -

config exempt-ip

Parameter Name Description Type Size
src-ip Source IP address and netmask. ipv4-classnet Not Specified
dst-ip Destination IP address and netmask. ipv4-classnet Not Specified
src-ip Source IP address and netmask. ipv4-classnet Not Specified
dst-ip Destination IP address and netmask. ipv4-classnet Not Specified

config filter

Parameter Name Description Type Size
location Vulnerability location filter. user Not Specified
severity Vulnerability severity filter. user Not Specified
protocol Vulnerable protocol filter. user Not Specified
os Vulnerable OS filter. user Not Specified
application Vulnerable application filter. user Not Specified
status Selected rules status.
disable: Disable status of selected rules.
enable: Enable status of selected rules.
default: Default.
option -
log Enable/disable logging of selected rules.
disable: Disable logging of selected rules.
enable: Enable logging of selected rules.
option -
log-packet Enable/disable packet logging of selected rules.
disable: Disable packet logging of selected rules.
enable: Enable packet logging of selected rules.
option -
action Action of selected rules.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
default: Pass or drop matching traffic, depending on the default action of the signature.
option -
quarantine Quarantine IP or interface.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
quarantine-log Enable/disable logging of selected quarantine.
disable: Disable logging of selected quarantine.
enable: Enable logging of selected quarantine.
option -

config override

Parameter Name Description Type Size
status Enable/disable status of override rule.
disable: Disable status of override rule.
enable: Enable status of override rule.
option -
log Enable/disable logging.
disable: Disable logging.
enable: Enable logging.
option -
log-packet Enable/disable packet logging.
disable: Disable packet logging.
enable: Enable packet logging.
option -
action Action of override rule.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
option -
quarantine Quarantine IP or interface.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
quarantine-log Enable/disable logging of selected quarantine.
disable: Disable logging of selected quarantine.
enable: Enable logging of selected quarantine.
option -

Configure IPS sensor.

  config ips sensor
      Description: Configure IPS sensor.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set block-malicious-url [disable|enable]
          set scan-botnet-connections [disable|block|...]
          set extended-log [enable|disable]
          config entries
              Description: IPS sensor filter.
              edit <id>
                  set rule <id1>, <id2>, ...
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set log-attack-context [disable|enable]
                  set action [pass|block|...]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  config exempt-ip
                      Description: Traffic from selected source or destination IP addresses is exempt from this signature.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          config filter
              Description: IPS sensor filter.
              edit <name>
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
              next
          end
          config override
              Description: IPS override rule.
              edit <rule-id>
                  set status [disable|enable]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set action [pass|block|...]
                  set quarantine [none|attacker]
                  set quarantine-expiry {integer}
                  set quarantine-log [disable|enable]
                  config exempt-ip
                      Description: Exempted IP.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
              next
          end
      next
  end

config ips sensor

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
replacemsg-group Replacement message group. string Maximum length: 35
block-malicious-url Enable/disable malicious URL blocking.
disable: Disable malicious URL blocking.
enable: Enable malicious URL blocking.
option -
scan-botnet-connections Block or monitor connections to Botnet servers, or disable Botnet scanning.
disable: Do not scan connections to botnet servers.
block: Block connections to botnet servers.
monitor: Log connections to botnet servers.
option -
extended-log Enable/disable extended logging.
enable: Enable setting.
disable: Disable setting.
option -

config entries

Parameter Name Description Type Size
rule <id> Identifies the predefined or custom IPS signatures to add to the sensor.
Rule IPS.
integer Minimum value: 0 Maximum value: 4294967295
location Protect client or server traffic. user Not Specified
severity Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. user Not Specified
protocol Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols. user Not Specified
os Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems. user Not Specified
application Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications. user Not Specified
status Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
disable: Disable status of selected rules.
enable: Enable status of selected rules.
default: Default.
option -
log Enable/disable logging of signatures included in filter.
disable: Disable logging of selected rules.
enable: Enable logging of selected rules.
option -
log-packet Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
disable: Disable packet logging of selected rules.
enable: Enable packet logging of selected rules.
option -
log-attack-context Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
disable: Disable logging of detailed attack context.
enable: Enable logging of detailed attack context.
option -
action Action taken with traffic in which signatures are detected.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
default: Pass or drop matching traffic, depending on the default action of the signature.
option -
rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
rate-mode Rate limit mode.
periodical: Allow configured number of packets every rate-duration.
continuous: Block packets once the rate is reached.
option -
rate-track Track the packet protocol field.
none: none
src-ip: Source IP.
dest-ip: Destination IP.
dhcp-client-mac: DHCP client.
dns-domain: DNS domain.
option -
quarantine Quarantine method.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
quarantine-log Enable/disable quarantine logging.
disable: Disable quarantine logging.
enable: Enable quarantine logging.
option -

config exempt-ip

Parameter Name Description Type Size
src-ip Source IP address and netmask. ipv4-classnet Not Specified
dst-ip Destination IP address and netmask. ipv4-classnet Not Specified
src-ip Source IP address and netmask. ipv4-classnet Not Specified
dst-ip Destination IP address and netmask. ipv4-classnet Not Specified

config filter

Parameter Name Description Type Size
location Vulnerability location filter. user Not Specified
severity Vulnerability severity filter. user Not Specified
protocol Vulnerable protocol filter. user Not Specified
os Vulnerable OS filter. user Not Specified
application Vulnerable application filter. user Not Specified
status Selected rules status.
disable: Disable status of selected rules.
enable: Enable status of selected rules.
default: Default.
option -
log Enable/disable logging of selected rules.
disable: Disable logging of selected rules.
enable: Enable logging of selected rules.
option -
log-packet Enable/disable packet logging of selected rules.
disable: Disable packet logging of selected rules.
enable: Enable packet logging of selected rules.
option -
action Action of selected rules.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
default: Pass or drop matching traffic, depending on the default action of the signature.
option -
quarantine Quarantine IP or interface.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
quarantine-log Enable/disable logging of selected quarantine.
disable: Disable logging of selected quarantine.
enable: Enable logging of selected quarantine.
option -

config override

Parameter Name Description Type Size
status Enable/disable status of override rule.
disable: Disable status of override rule.
enable: Enable status of override rule.
option -
log Enable/disable logging.
disable: Disable logging.
enable: Enable logging.
option -
log-packet Enable/disable packet logging.
disable: Disable packet logging.
enable: Enable packet logging.
option -
action Action of override rule.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
option -
quarantine Quarantine IP or interface.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine in minute. integer Minimum value: 1 Maximum value: 2147483647
quarantine-log Enable/disable logging of selected quarantine.
disable: Disable logging of selected quarantine.
enable: Enable logging of selected quarantine.
option -