config ips global
Configure IPS global parameter.
config ips global
Description: Configure IPS global parameter.
set fail-open [enable|disable]
set database [regular|extended]
set traffic-submit [enable|disable]
set anomaly-mode [periodical|continuous]
set session-limit-mode [accurate|heuristic]
set socket-size {integer}
set engine-count {integer}
set sync-session-ttl [enable|disable]
set deep-app-insp-timeout {integer}
set deep-app-insp-db-limit {integer}
set exclude-signatures [none|ot]
set packet-log-queue-depth {integer}
set av-mem-limit {integer}
config tls-active-probe
Description: TLS active probe configuration.
set interface-select-method [auto|sdwan|...]
set interface {string}
set vdom {string}
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
end
end
config ips global
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
fail-open |
Enable to allow traffic if the IPS buffer is full. Default is disable and IPS traffic is blocked when the IPS buffer is full. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
database |
Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks. |
option |
- |
extended |
||||||
|
|
|
|||||||||
|
traffic-submit |
Enable/disable submitting attack data found by this FortiProxy to FortiGuard. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
anomaly-mode |
Global blocking mode for rate-based anomalies. |
option |
- |
continuous |
||||||
|
|
|
|||||||||
|
session-limit-mode |
Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics). |
option |
- |
heuristic |
||||||
|
|
|
|||||||||
|
socket-size |
IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. |
integer |
Minimum value: 0 Maximum value: 128 |
64 |
||||||
|
engine-count |
Number of IPS engines running. If set to the default value of 0, FortiProxy sets the number to optimize performance depending on the number of CPU cores. |
integer |
Minimum value: 0 Maximum value: 255 |
0 |
||||||
|
sync-session-ttl |
Enable/disable use of kernel session TTL for IPS sessions. |
option |
- |
enable |
||||||
|
|
|
|||||||||
|
deep-app-insp-timeout |
Timeout for Deep application inspection. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||
|
deep-app-insp-db-limit |
Limit on number of entries in deep application inspection database. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||
|
exclude-signatures |
Excluded signatures. |
option |
- |
ot |
||||||
|
|
|
|||||||||
|
packet-log-queue-depth |
Packet/pcap log queue depth per IPS engine. |
integer |
Minimum value: 128 Maximum value: 4096 |
128 |
||||||
|
av-mem-limit |
Maximum percentage of system memory allowed for use on AV scanning. To disable set to zero. When disabled, there is no limit on the AV memory usage. |
integer |
Minimum value: 10 Maximum value: 50 |
0 |
||||||
config tls-active-probe
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||
|
|
|
|||||||||||
|
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||
|
vdom |
Virtual domain name for TLS active probe. |
string |
Maximum length: 31 |
|
||||||||
|
source-ip |
Source IP address used for TLS active probe. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||
|
source-ip6 |
Source IPv6 address used for TLS active probe. |
ipv6-address |
Not Specified |
:: |
||||||||