Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

Configure IPS global parameter.

  config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set np-accel-mode [none|basic]
      set ips-reserve-cpu [disable|enable]
      set cp-accel-mode [none|basic|...]
      set skype-client-public-ipaddr {var-string}
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
      set packet-log-queue-depth {integer}
      config tls-active-probe
          Description: TLS active probe configuration.
          set interface-select-method [auto|sdwan|...]
          set interface {string}
          set vdom {string}
          set source-ip {ipv4-address}
          set source-ip6 {ipv6-address}
      end
  end

config ips global

Parameter Name Description Type Size
fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
enable: Enable IPS fail open.
disable: Disable IPS fail open.
option -
database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
regular: IPS regular database package.
extended: IPS extended database package.
option -
traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
enable: Enable traffic submit.
disable: Disable traffic submit.
option -
anomaly-mode Global blocking mode for rate-based anomalies.
periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
option -
session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
accurate: Accurately count concurrent sessions, demands more resources.
heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
option -
intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
enable: Enable intelligent scan mode.
disable: Disable intelligent scan mode.
option -
socket-size IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 256
engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
enable: Enable use of kernel session TTL for IPS sessions.
disable: Disable use of kernel session TTL for IPS sessions.
option -
np-accel-mode Acceleration mode for IPS processing by NPx processors.
none: NPx acceleration disabled.
basic: NPx acceleration enabled.
option -
ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other than CPU 0
disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).
enable: Enable IPS daemon's use of CPUs other than CPU 0.
option -
cp-accel-mode IPS Pattern matching acceleration/offloading to CPx processors.
none: CPx acceleration/offloading disabled.
basic: Offload basic pattern matching to CPx processors.
advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
option -
skype-client-public-ipaddr Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. var-string Maximum length: 255
deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
exclude-signatures Excluded signatures.
none: No signatures excluded.
industrial: Exclude industrial signatures.
option -
packet-log-queue-depth Packet/pcap log queue depth per IPS engine. integer Minimum value: 128 Maximum value: 4096

config tls-active-probe

Parameter Name Description Type Size
interface-select-method Specify how to select outgoing interface to reach server.
auto: Set outgoing interface automatically.
sdwan: Set outgoing interface by SD-WAN or policy routing rules.
specify: Set outgoing interface manually.
option -
interface Specify outgoing interface to reach server. string Maximum length: 15
vdom Virtual domain name for TLS active probe. string Maximum length: 31
source-ip Source IP address used for TLS active probe. ipv4-address Not Specified
source-ip6 Source IPv6 address used for TLS active probe. ipv6-address Not Specified

Configure IPS global parameter.

  config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set np-accel-mode [none|basic]
      set ips-reserve-cpu [disable|enable]
      set cp-accel-mode [none|basic|...]
      set skype-client-public-ipaddr {var-string}
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
      set packet-log-queue-depth {integer}
      config tls-active-probe
          Description: TLS active probe configuration.
          set interface-select-method [auto|sdwan|...]
          set interface {string}
          set vdom {string}
          set source-ip {ipv4-address}
          set source-ip6 {ipv6-address}
      end
  end

config ips global

Parameter Name Description Type Size
fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
enable: Enable IPS fail open.
disable: Disable IPS fail open.
option -
database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
regular: IPS regular database package.
extended: IPS extended database package.
option -
traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
enable: Enable traffic submit.
disable: Disable traffic submit.
option -
anomaly-mode Global blocking mode for rate-based anomalies.
periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
option -
session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
accurate: Accurately count concurrent sessions, demands more resources.
heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
option -
intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
enable: Enable intelligent scan mode.
disable: Disable intelligent scan mode.
option -
socket-size IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 256
engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
enable: Enable use of kernel session TTL for IPS sessions.
disable: Disable use of kernel session TTL for IPS sessions.
option -
np-accel-mode Acceleration mode for IPS processing by NPx processors.
none: NPx acceleration disabled.
basic: NPx acceleration enabled.
option -
ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other than CPU 0
disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).
enable: Enable IPS daemon's use of CPUs other than CPU 0.
option -
cp-accel-mode IPS Pattern matching acceleration/offloading to CPx processors.
none: CPx acceleration/offloading disabled.
basic: Offload basic pattern matching to CPx processors.
advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
option -
skype-client-public-ipaddr Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. var-string Maximum length: 255
deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
exclude-signatures Excluded signatures.
none: No signatures excluded.
industrial: Exclude industrial signatures.
option -
packet-log-queue-depth Packet/pcap log queue depth per IPS engine. integer Minimum value: 128 Maximum value: 4096

config tls-active-probe

Parameter Name Description Type Size
interface-select-method Specify how to select outgoing interface to reach server.
auto: Set outgoing interface automatically.
sdwan: Set outgoing interface by SD-WAN or policy routing rules.
specify: Set outgoing interface manually.
option -
interface Specify outgoing interface to reach server. string Maximum length: 15
vdom Virtual domain name for TLS active probe. string Maximum length: 31
source-ip Source IP address used for TLS active probe. ipv4-address Not Specified
source-ip6 Source IPv6 address used for TLS active probe. ipv6-address Not Specified