Fortinet black logo

CLI Reference

config ips sensor

config ips sensor

Configure IPS sensor.

config ips sensor

Description: Configure IPS sensor.

edit <name>

set comment {var-string}

set replacemsg-group {string}

set block-malicious-url [disable|enable]

set scan-botnet-connections [disable|block|...]

set extended-log [enable|disable]

config entries

Description: IPS sensor filter.

edit <id>

set rule <id1>, <id2>, ...

set location {user}

set severity {user}

set protocol {user}

set os {user}

set application {user}

set status [disable|enable|...]

set log [disable|enable]

set log-packet [disable|enable]

set log-attack-context [disable|enable]

set action [pass|block|...]

set rate-count {integer}

set rate-duration {integer}

set rate-mode [periodical|continuous]

set rate-track [none|src-ip|...]

config exempt-ip

Description: Traffic from selected source or destination IP addresses is exempt from this signature.

edit <id>

set src-ip {ipv4-classnet}

set dst-ip {ipv4-classnet}

next

end

set quarantine [none|attacker]

set quarantine-expiry {user}

set quarantine-log [disable|enable]

next

end

config filter

Description: IPS sensor filter.

edit <name>

set location {user}

set severity {user}

set protocol {user}

set os {user}

set application {user}

set status [disable|enable|...]

set log [disable|enable]

set log-packet [disable|enable]

set action [pass|block|...]

set quarantine [none|attacker]

set quarantine-expiry {integer}

set quarantine-log [disable|enable]

next

end

config override

Description: IPS override rule.

edit <rule-id>

set status [disable|enable]

set log [disable|enable]

set log-packet [disable|enable]

set action [pass|block|...]

set quarantine [none|attacker]

set quarantine-expiry {integer}

set quarantine-log [disable|enable]

config exempt-ip

Description: Exempted IP.

edit <id>

set src-ip {ipv4-classnet}

set dst-ip {ipv4-classnet}

next

end

next

end

next

end

config ips sensor

Parameter name

Description

Type

Size

comment

Comment.

var-string

Maximum length: 255

replacemsg-group

Replacement message group.

string

Maximum length: 35

block-malicious-url

Enable/disable malicious URL blocking.

option

-

Option

Description

disable

Disable malicious URL blocking.

enable

Enable malicious URL blocking.

scan-botnet-connections

Block or monitor connections to Botnet servers, or disable Botnet scanning.

option

-

Option

Description

disable

Do not scan connections to botnet servers.

block

Block connections to botnet servers.

monitor

Log connections to botnet servers.

extended-log

Enable/disable extended logging.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

config entries

Parameter name

Description

Type

Size

rule <id>

Identifies the predefined or custom IPS signatures to add to the sensor.

Rule IPS.

integer

Minimum value: 0 Maximum value: 4294967295

location

Protect client or server traffic.

user

Not Specified

severity

Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.

user

Not Specified

protocol

Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols.

user

Not Specified

os

Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems.

user

Not Specified

application

Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications.

user

Not Specified

status

Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.

option

-

Option

Description

disable

Disable status of selected rules.

enable

Enable status of selected rules.

default

Default.

log

Enable/disable logging of signatures included in filter.

option

-

Option

Description

disable

Disable logging of selected rules.

enable

Enable logging of selected rules.

log-packet

Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.

option

-

Option

Description

disable

Disable packet logging of selected rules.

enable

Enable packet logging of selected rules.

log-attack-context

Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.

option

-

Option

Description

disable

Disable logging of detailed attack context.

enable

Enable logging of detailed attack context.

action

Action taken with traffic in which signatures are detected.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

default

Pass or drop matching traffic, depending on the default action of the signature.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

rate-mode

Rate limit mode.

option

-

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.

option

-

Option

Description

none

none

src-ip

Source IP.

dest-ip

Destination IP.

dhcp-client-mac

DHCP client.

dns-domain

DNS domain.

quarantine

Quarantine method.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.

user

Not Specified

quarantine-log

Enable/disable quarantine logging.

option

-

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

config exempt-ip

Parameter name

Description

Type

Size

src-ip

Source IP address and netmask.

ipv4-classnet

Not Specified

dst-ip

Destination IP address and netmask.

ipv4-classnet

Not Specified

config filter

Parameter name

Description

Type

Size

location

Vulnerability location filter.

user

Not Specified

severity

Vulnerability severity filter.

user

Not Specified

protocol

Vulnerable protocol filter.

user

Not Specified

os

Vulnerable OS filter.

user

Not Specified

application

Vulnerable application filter.

user

Not Specified

status

Selected rules status.

option

-

Option

Description

disable

Disable status of selected rules.

enable

Enable status of selected rules.

default

Default.

log

Enable/disable logging of selected rules.

option

-

Option

Description

disable

Disable logging of selected rules.

enable

Enable logging of selected rules.

log-packet

Enable/disable packet logging of selected rules.

option

-

Option

Description

disable

Disable packet logging of selected rules.

enable

Enable packet logging of selected rules.

action

Action of selected rules.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

default

Pass or drop matching traffic, depending on the default action of the signature.

quarantine

Quarantine IP or interface.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine in minute.

integer

Minimum value: 1 Maximum value: 2147483647

quarantine-log

Enable/disable logging of selected quarantine.

option

-

Option

Description

disable

Disable logging of selected quarantine.

enable

Enable logging of selected quarantine.

config override

Parameter name

Description

Type

Size

status

Enable/disable status of override rule.

option

-

Option

Description

disable

Disable status of override rule.

enable

Enable status of override rule.

log

Enable/disable logging.

option

-

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

action

Action of override rule.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

quarantine

Quarantine IP or interface.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine in minute.

integer

Minimum value: 1 Maximum value: 2147483647

quarantine-log

Enable/disable logging of selected quarantine.

option

-

Option

Description

disable

Disable logging of selected quarantine.

enable

Enable logging of selected quarantine.

config exempt-ip

Parameter name

Description

Type

Size

src-ip

Source IP address and netmask.

ipv4-classnet

Not Specified

dst-ip

Destination IP address and netmask.

ipv4-classnet

Not Specified

config ips sensor

Configure IPS sensor.

config ips sensor

Description: Configure IPS sensor.

edit <name>

set comment {var-string}

set replacemsg-group {string}

set block-malicious-url [disable|enable]

set scan-botnet-connections [disable|block|...]

set extended-log [enable|disable]

config entries

Description: IPS sensor filter.

edit <id>

set rule <id1>, <id2>, ...

set location {user}

set severity {user}

set protocol {user}

set os {user}

set application {user}

set status [disable|enable|...]

set log [disable|enable]

set log-packet [disable|enable]

set log-attack-context [disable|enable]

set action [pass|block|...]

set rate-count {integer}

set rate-duration {integer}

set rate-mode [periodical|continuous]

set rate-track [none|src-ip|...]

config exempt-ip

Description: Traffic from selected source or destination IP addresses is exempt from this signature.

edit <id>

set src-ip {ipv4-classnet}

set dst-ip {ipv4-classnet}

next

end

set quarantine [none|attacker]

set quarantine-expiry {user}

set quarantine-log [disable|enable]

next

end

config filter

Description: IPS sensor filter.

edit <name>

set location {user}

set severity {user}

set protocol {user}

set os {user}

set application {user}

set status [disable|enable|...]

set log [disable|enable]

set log-packet [disable|enable]

set action [pass|block|...]

set quarantine [none|attacker]

set quarantine-expiry {integer}

set quarantine-log [disable|enable]

next

end

config override

Description: IPS override rule.

edit <rule-id>

set status [disable|enable]

set log [disable|enable]

set log-packet [disable|enable]

set action [pass|block|...]

set quarantine [none|attacker]

set quarantine-expiry {integer}

set quarantine-log [disable|enable]

config exempt-ip

Description: Exempted IP.

edit <id>

set src-ip {ipv4-classnet}

set dst-ip {ipv4-classnet}

next

end

next

end

next

end

config ips sensor

Parameter name

Description

Type

Size

comment

Comment.

var-string

Maximum length: 255

replacemsg-group

Replacement message group.

string

Maximum length: 35

block-malicious-url

Enable/disable malicious URL blocking.

option

-

Option

Description

disable

Disable malicious URL blocking.

enable

Enable malicious URL blocking.

scan-botnet-connections

Block or monitor connections to Botnet servers, or disable Botnet scanning.

option

-

Option

Description

disable

Do not scan connections to botnet servers.

block

Block connections to botnet servers.

monitor

Log connections to botnet servers.

extended-log

Enable/disable extended logging.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

config entries

Parameter name

Description

Type

Size

rule <id>

Identifies the predefined or custom IPS signatures to add to the sensor.

Rule IPS.

integer

Minimum value: 0 Maximum value: 4294967295

location

Protect client or server traffic.

user

Not Specified

severity

Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.

user

Not Specified

protocol

Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols.

user

Not Specified

os

Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems.

user

Not Specified

application

Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications.

user

Not Specified

status

Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.

option

-

Option

Description

disable

Disable status of selected rules.

enable

Enable status of selected rules.

default

Default.

log

Enable/disable logging of signatures included in filter.

option

-

Option

Description

disable

Disable logging of selected rules.

enable

Enable logging of selected rules.

log-packet

Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.

option

-

Option

Description

disable

Disable packet logging of selected rules.

enable

Enable packet logging of selected rules.

log-attack-context

Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.

option

-

Option

Description

disable

Disable logging of detailed attack context.

enable

Enable logging of detailed attack context.

action

Action taken with traffic in which signatures are detected.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

default

Pass or drop matching traffic, depending on the default action of the signature.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

rate-mode

Rate limit mode.

option

-

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.

option

-

Option

Description

none

none

src-ip

Source IP.

dest-ip

Destination IP.

dhcp-client-mac

DHCP client.

dns-domain

DNS domain.

quarantine

Quarantine method.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.

user

Not Specified

quarantine-log

Enable/disable quarantine logging.

option

-

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

config exempt-ip

Parameter name

Description

Type

Size

src-ip

Source IP address and netmask.

ipv4-classnet

Not Specified

dst-ip

Destination IP address and netmask.

ipv4-classnet

Not Specified

config filter

Parameter name

Description

Type

Size

location

Vulnerability location filter.

user

Not Specified

severity

Vulnerability severity filter.

user

Not Specified

protocol

Vulnerable protocol filter.

user

Not Specified

os

Vulnerable OS filter.

user

Not Specified

application

Vulnerable application filter.

user

Not Specified

status

Selected rules status.

option

-

Option

Description

disable

Disable status of selected rules.

enable

Enable status of selected rules.

default

Default.

log

Enable/disable logging of selected rules.

option

-

Option

Description

disable

Disable logging of selected rules.

enable

Enable logging of selected rules.

log-packet

Enable/disable packet logging of selected rules.

option

-

Option

Description

disable

Disable packet logging of selected rules.

enable

Enable packet logging of selected rules.

action

Action of selected rules.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

default

Pass or drop matching traffic, depending on the default action of the signature.

quarantine

Quarantine IP or interface.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine in minute.

integer

Minimum value: 1 Maximum value: 2147483647

quarantine-log

Enable/disable logging of selected quarantine.

option

-

Option

Description

disable

Disable logging of selected quarantine.

enable

Enable logging of selected quarantine.

config override

Parameter name

Description

Type

Size

status

Enable/disable status of override rule.

option

-

Option

Description

disable

Disable status of override rule.

enable

Enable status of override rule.

log

Enable/disable logging.

option

-

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

action

Action of override rule.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

quarantine

Quarantine IP or interface.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine in minute.

integer

Minimum value: 1 Maximum value: 2147483647

quarantine-log

Enable/disable logging of selected quarantine.

option

-

Option

Description

disable

Disable logging of selected quarantine.

enable

Enable logging of selected quarantine.

config exempt-ip

Parameter name

Description

Type

Size

src-ip

Source IP address and netmask.

ipv4-classnet

Not Specified

dst-ip

Destination IP address and netmask.

ipv4-classnet

Not Specified