Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    7.4.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config ips global

    config ips global

    Configure IPS global parameter.

    config ips global
    Description: Configure IPS global parameter.
    set anomaly-mode [periodical|continuous]
    set av-mem-limit {integer}
    set cp-accel-mode [none|basic|...]
    set database [regular|extended]
    set deep-app-insp-db-limit {integer}
    set deep-app-insp-timeout {integer}
    set engine-count {integer}
    set exclude-signatures [none|ot]
    set fail-open [enable|disable]
    set ips-reserve-cpu [disable|enable]
    set ngfw-max-scan-range {integer}
    set np-accel-mode [none|basic]
    set packet-log-queue-depth {integer}
    set session-limit-mode [accurate|heuristic]
    set socket-size {integer}
    set sync-session-ttl [enable|disable]
    config tls-active-probe
        Description: TLS active probe configuration.
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set source-ip {ipv4-address}
        set source-ip6 {ipv6-address}
        set vdom {string}
    end
    set traffic-submit [enable|disable]
end

    config ips global

    Parameter

    Description

    Type

    Size

    Default

    anomaly-mode

    Global blocking mode for rate-based anomalies.

    option

    -

    continuous

    Option

    Description

    periodical

    After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.

    continuous

    Block packets once an anomaly is detected. Overrides individual anomaly settings.

    av-mem-limit

    Maximum percentage of system memory allowed for use on AV scanning (10 - 50, default = zero). To disable set to zero. When disabled, there is no limit on the AV memory usage.

    integer

    Minimum value: 10 Maximum value: 50

    0

    cp-accel-mode *

    IPS Pattern matching acceleration/offloading to CPx processors.

    option

    -

    advanced

    Option

    Description

    none

    CPx acceleration/offloading disabled.

    basic

    Offload basic pattern matching to CPx processors.

    advanced

    Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.

    database

    Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.

    option

    -

    extended **

    Option

    Description

    regular

    IPS regular database package.

    extended

    IPS extended database package.

    deep-app-insp-db-limit

    Limit on number of entries in deep application inspection database (1 - 2147483647, use recommended setting = 0).

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    deep-app-insp-timeout

    Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting).

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    engine-count

    Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores.

    integer

    Minimum value: 0 Maximum value: 255

    0

    exclude-signatures

    Excluded signatures.

    option

    -

    ot

    Option

    Description

    none

    No signatures excluded.

    ot

    Exclude ot signatures.

    fail-open

    Enable to allow traffic if the IPS buffer is full. Default is disable and IPS traffic is blocked when the IPS buffer is full.

    option

    -

    disable

    Option

    Description

    enable

    Enable IPS fail open.

    disable

    Disable IPS fail open.

    ips-reserve-cpu *

    Enable/disable IPS daemon's use of CPUs other than CPU 0.

    option

    -

    disable

    Option

    Description

    disable

    Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).

    enable

    Enable IPS daemon's use of CPUs other than CPU 0.

    ngfw-max-scan-range

    NGFW policy-mode app detection threshold.

    integer

    Minimum value: 0 Maximum value: 4294967295

    4096

    np-accel-mode *

    Acceleration mode for IPS processing by NPx processors.

    option

    -

    basic

    Option

    Description

    none

    NPx acceleration disabled.

    basic

    NPx acceleration enabled.

    packet-log-queue-depth

    Packet/pcap log queue depth per IPS engine.

    integer

    Minimum value: 128 Maximum value: 4096

    128

    session-limit-mode

    Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).

    option

    -

    heuristic

    Option

    Description

    accurate

    Accurately count concurrent sessions, demands more resources.

    heuristic

    Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.

    socket-size

    IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance.

    integer

    Minimum value: 0 Maximum value: 256 **

    128 **

    sync-session-ttl

    Enable/disable use of kernel session TTL for IPS sessions.

    option

    -

    enable

    Option

    Description

    enable

    Enable use of kernel session TTL for IPS sessions.

    disable

    Disable use of kernel session TTL for IPS sessions.

    traffic-submit

    Enable/disable submitting attack data found by this FortiGate to FortiGuard.

    option

    -

    disable

    Option

    Description

    enable

    Enable traffic submit.

    disable

    Disable traffic submit.

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config tls-active-probe

    Parameter

    Description

    Type

    Size

    Default

    interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    source-ip

    Source IP address used for TLS active probe.

    ipv4-address

    Not Specified

    0.0.0.0

    source-ip6

    Source IPv6 address used for TLS active probe.

    ipv6-address

    Not Specified

    ::

    vdom

    Virtual domain name for TLS active probe.

    string

    Maximum length: 31

    Previous
    Next

    config ips global

    config ips global

    Configure IPS global parameter.

    config ips global
    Description: Configure IPS global parameter.
    set anomaly-mode [periodical|continuous]
    set av-mem-limit {integer}
    set cp-accel-mode [none|basic|...]
    set database [regular|extended]
    set deep-app-insp-db-limit {integer}
    set deep-app-insp-timeout {integer}
    set engine-count {integer}
    set exclude-signatures [none|ot]
    set fail-open [enable|disable]
    set ips-reserve-cpu [disable|enable]
    set ngfw-max-scan-range {integer}
    set np-accel-mode [none|basic]
    set packet-log-queue-depth {integer}
    set session-limit-mode [accurate|heuristic]
    set socket-size {integer}
    set sync-session-ttl [enable|disable]
    config tls-active-probe
        Description: TLS active probe configuration.
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set source-ip {ipv4-address}
        set source-ip6 {ipv6-address}
        set vdom {string}
    end
    set traffic-submit [enable|disable]
end

    config ips global

    Parameter

    Description

    Type

    Size

    Default

    anomaly-mode

    Global blocking mode for rate-based anomalies.

    option

    -

    continuous

    Option

    Description

    periodical

    After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.

    continuous

    Block packets once an anomaly is detected. Overrides individual anomaly settings.

    av-mem-limit

    Maximum percentage of system memory allowed for use on AV scanning (10 - 50, default = zero). To disable set to zero. When disabled, there is no limit on the AV memory usage.

    integer

    Minimum value: 10 Maximum value: 50

    0

    cp-accel-mode *

    IPS Pattern matching acceleration/offloading to CPx processors.

    option

    -

    advanced

    Option

    Description

    none

    CPx acceleration/offloading disabled.

    basic

    Offload basic pattern matching to CPx processors.

    advanced

    Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.

    database

    Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.

    option

    -

    extended **

    Option

    Description

    regular

    IPS regular database package.

    extended

    IPS extended database package.

    deep-app-insp-db-limit

    Limit on number of entries in deep application inspection database (1 - 2147483647, use recommended setting = 0).

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    deep-app-insp-timeout

    Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting).

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    engine-count

    Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores.

    integer

    Minimum value: 0 Maximum value: 255

    0

    exclude-signatures

    Excluded signatures.

    option

    -

    ot

    Option

    Description

    none

    No signatures excluded.

    ot

    Exclude ot signatures.

    fail-open

    Enable to allow traffic if the IPS buffer is full. Default is disable and IPS traffic is blocked when the IPS buffer is full.

    option

    -

    disable

    Option

    Description

    enable

    Enable IPS fail open.

    disable

    Disable IPS fail open.

    ips-reserve-cpu *

    Enable/disable IPS daemon's use of CPUs other than CPU 0.

    option

    -

    disable

    Option

    Description

    disable

    Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).

    enable

    Enable IPS daemon's use of CPUs other than CPU 0.

    ngfw-max-scan-range

    NGFW policy-mode app detection threshold.

    integer

    Minimum value: 0 Maximum value: 4294967295

    4096

    np-accel-mode *

    Acceleration mode for IPS processing by NPx processors.

    option

    -

    basic

    Option

    Description

    none

    NPx acceleration disabled.

    basic

    NPx acceleration enabled.

    packet-log-queue-depth

    Packet/pcap log queue depth per IPS engine.

    integer

    Minimum value: 128 Maximum value: 4096

    128

    session-limit-mode

    Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).

    option

    -

    heuristic

    Option

    Description

    accurate

    Accurately count concurrent sessions, demands more resources.

    heuristic

    Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.

    socket-size

    IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance.

    integer

    Minimum value: 0 Maximum value: 256 **

    128 **

    sync-session-ttl

    Enable/disable use of kernel session TTL for IPS sessions.

    option

    -

    enable

    Option

    Description

    enable

    Enable use of kernel session TTL for IPS sessions.

    disable

    Disable use of kernel session TTL for IPS sessions.

    traffic-submit

    Enable/disable submitting attack data found by this FortiGate to FortiGuard.

    option

    -

    disable

    Option

    Description

    enable

    Enable traffic submit.

    disable

    Disable traffic submit.

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config tls-active-probe

    Parameter

    Description

    Type

    Size

    Default

    interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    source-ip

    Source IP address used for TLS active probe.

    ipv4-address

    Not Specified

    0.0.0.0

    source-ip6

    Source IPv6 address used for TLS active probe.

    ipv6-address

    Not Specified

    ::

    vdom

    Virtual domain name for TLS active probe.

    string

    Maximum length: 31

    Previous
    Next