Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.4.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    ips sensor

    Configure IPS sensor.

      config ips sensor
      Description: Configure IPS sensor.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set block-malicious-url [disable|enable]
          set scan-botnet-connections [disable|block|...]
          set extended-log [enable|disable]
          config entries
              Description: IPS sensor filter.
              edit <id>
                  set rule <id1>, <id2>, ...
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set cve <cve-entry1>, <cve-entry2>, ...
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set log-attack-context [disable|enable]
                  set action [pass|block|...]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  config exempt-ip
                      Description: Traffic from selected source or destination IP addresses is exempt from this signature.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
      next
  end

    config ips sensor

    Parameter Name Description Type Size
    comment Comment. var-string Maximum length: 255
    replacemsg-group Replacement message group. string Maximum length: 35
    block-malicious-url Enable/disable malicious URL blocking.
    disable: Disable malicious URL blocking.
    enable: Enable malicious URL blocking.
    		 option -
    scan-botnet-connections Block or monitor connections to Botnet servers, or disable Botnet scanning.
    disable: Do not scan connections to botnet servers.
    block: Block connections to botnet servers.
    monitor: Log connections to botnet servers.
    		 option -
    extended-log Enable/disable extended logging.
    enable: Enable setting.
    disable: Disable setting.
    		 option -

    config entries

    Parameter Name Description Type Size
    rule <id> Identifies the predefined or custom IPS signatures to add to the sensor.
    Rule IPS.    		 integer Minimum value: 0 Maximum value: 4294967295
    location Protect client or server traffic. user Not Specified
    severity Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. user Not Specified
    protocol Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols. user Not Specified
    os Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems. user Not Specified
    application Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications. user Not Specified
    cve <cve-entry> List of CVE IDs of the signatures to add to the sensor
    CVE IDs or CVE wildcards.    		 string Maximum length: 19
    status Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
    disable: Disable status of selected rules.
    enable: Enable status of selected rules.
    default: Default.
    		 option -
    log Enable/disable logging of signatures included in filter.
    disable: Disable logging of selected rules.
    enable: Enable logging of selected rules.
    		 option -
    log-packet Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
    disable: Disable packet logging of selected rules.
    enable: Enable packet logging of selected rules.
    		 option -
    log-attack-context Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
    disable: Disable logging of detailed attack context.
    enable: Enable logging of detailed attack context.
    		 option -
    action Action taken with traffic in which signatures are detected.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    default: Pass or drop matching traffic, depending on the default action of the signature.
    		 option -
    rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
    rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
    rate-mode Rate limit mode.
    periodical: Allow configured number of packets every rate-duration.
    continuous: Block packets once the rate is reached.
    		 option -
    rate-track Track the packet protocol field.
    none: none
    src-ip: Source IP.
    dest-ip: Destination IP.
    dhcp-client-mac: DHCP client.
    dns-domain: DNS domain.
    		 option -
    quarantine Quarantine method.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
    quarantine-log Enable/disable quarantine logging.
    disable: Disable quarantine logging.
    enable: Enable quarantine logging.
    		 option -

    config exempt-ip

    Parameter Name Description Type Size
    src-ip Source IP address and netmask. ipv4-classnet Not Specified
    dst-ip Destination IP address and netmask. ipv4-classnet Not Specified
    Previous
    Next

    ips sensor

    Configure IPS sensor.

      config ips sensor
      Description: Configure IPS sensor.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set block-malicious-url [disable|enable]
          set scan-botnet-connections [disable|block|...]
          set extended-log [enable|disable]
          config entries
              Description: IPS sensor filter.
              edit <id>
                  set rule <id1>, <id2>, ...
                  set location {user}
                  set severity {user}
                  set protocol {user}
                  set os {user}
                  set application {user}
                  set cve <cve-entry1>, <cve-entry2>, ...
                  set status [disable|enable|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set log-attack-context [disable|enable]
                  set action [pass|block|...]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  config exempt-ip
                      Description: Traffic from selected source or destination IP addresses is exempt from this signature.
                      edit <id>
                          set src-ip {ipv4-classnet}
                          set dst-ip {ipv4-classnet}
                      next
                  end
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
      next
  end

    config ips sensor

    Parameter Name Description Type Size
    comment Comment. var-string Maximum length: 255
    replacemsg-group Replacement message group. string Maximum length: 35
    block-malicious-url Enable/disable malicious URL blocking.
    disable: Disable malicious URL blocking.
    enable: Enable malicious URL blocking.
    		 option -
    scan-botnet-connections Block or monitor connections to Botnet servers, or disable Botnet scanning.
    disable: Do not scan connections to botnet servers.
    block: Block connections to botnet servers.
    monitor: Log connections to botnet servers.
    		 option -
    extended-log Enable/disable extended logging.
    enable: Enable setting.
    disable: Disable setting.
    		 option -

    config entries

    Parameter Name Description Type Size
    rule <id> Identifies the predefined or custom IPS signatures to add to the sensor.
    Rule IPS.    		 integer Minimum value: 0 Maximum value: 4294967295
    location Protect client or server traffic. user Not Specified
    severity Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. user Not Specified
    protocol Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols. user Not Specified
    os Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems. user Not Specified
    application Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications. user Not Specified
    cve <cve-entry> List of CVE IDs of the signatures to add to the sensor
    CVE IDs or CVE wildcards.    		 string Maximum length: 19
    status Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
    disable: Disable status of selected rules.
    enable: Enable status of selected rules.
    default: Default.
    		 option -
    log Enable/disable logging of signatures included in filter.
    disable: Disable logging of selected rules.
    enable: Enable logging of selected rules.
    		 option -
    log-packet Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
    disable: Disable packet logging of selected rules.
    enable: Enable packet logging of selected rules.
    		 option -
    log-attack-context Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
    disable: Disable logging of detailed attack context.
    enable: Enable logging of detailed attack context.
    		 option -
    action Action taken with traffic in which signatures are detected.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    default: Pass or drop matching traffic, depending on the default action of the signature.
    		 option -
    rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
    rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
    rate-mode Rate limit mode.
    periodical: Allow configured number of packets every rate-duration.
    continuous: Block packets once the rate is reached.
    		 option -
    rate-track Track the packet protocol field.
    none: none
    src-ip: Source IP.
    dest-ip: Destination IP.
    dhcp-client-mac: DHCP client.
    dns-domain: DNS domain.
    		 option -
    quarantine Quarantine method.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
    quarantine-log Enable/disable quarantine logging.
    disable: Disable quarantine logging.
    enable: Enable quarantine logging.
    		 option -

    config exempt-ip

    Parameter Name Description Type Size
    src-ip Source IP address and netmask. ipv4-classnet Not Specified
    dst-ip Destination IP address and netmask. ipv4-classnet Not Specified
    Previous
    Next