Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.2.6
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    ips global

    Configure IPS global parameter.

      config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set np-accel-mode [none|basic]
      set ips-reserve-cpu [disable|enable]
      set cp-accel-mode [none|basic|...]
      set skype-client-public-ipaddr {var-string}
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
      set packet-log-queue-depth {integer}
      config tls-active-probe
          Description: TLS active probe configuration.
          set interface-select-method [auto|sdwan|...]
          set interface {string}
          set vdom {string}
          set source-ip {ipv4-address}
          set source-ip6 {ipv6-address}
      end
  end

    config ips global

    Parameter Name Description Type Size
    fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
    enable: Enable IPS fail open.
    disable: Disable IPS fail open.
    		 option -
    database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
    regular: IPS regular database package.
    extended: IPS extended database package.
    		 option -
    traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
    enable: Enable traffic submit.
    disable: Disable traffic submit.
    		 option -
    anomaly-mode Global blocking mode for rate-based anomalies.
    periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
    continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
    		 option -
    session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
    accurate: Accurately count concurrent sessions, demands more resources.
    heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
    		 option -
    intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
    enable: Enable intelligent scan mode.
    disable: Disable intelligent scan mode.
    		 option -
    socket-size IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 256
    engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
    sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
    enable: Enable use of kernel session TTL for IPS sessions.
    disable: Disable use of kernel session TTL for IPS sessions.
    		 option -
    np-accel-mode Acceleration mode for IPS processing by NPx processors.
    none: NPx acceleration disabled.
    basic: NPx acceleration enabled.
    		 option -
    ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other than CPU 0
    disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).
    enable: Enable IPS daemon's use of CPUs other than CPU 0.
    		 option -
    cp-accel-mode IPS Pattern matching acceleration/offloading to CPx processors.
    none: CPx acceleration/offloading disabled.
    basic: Offload basic pattern matching to CPx processors.
    advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
    		 option -
    skype-client-public-ipaddr Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. var-string Maximum length: 255
    deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
    deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
    exclude-signatures Excluded signatures.
    none: No signatures excluded.
    industrial: Exclude industrial signatures.
    		 option -
    packet-log-queue-depth Packet/pcap log queue depth per IPS engine. integer Minimum value: 128 Maximum value: 4096

    config tls-active-probe

    Parameter Name Description Type Size
    interface-select-method Specify how to select outgoing interface to reach server.
    auto: Set outgoing interface automatically.
    sdwan: Set outgoing interface by SD-WAN or policy routing rules.
    specify: Set outgoing interface manually.
    		 option -
    interface Specify outgoing interface to reach server. string Maximum length: 15
    vdom Virtual domain name for TLS active probe. string Maximum length: 31
    source-ip Source IP address used for TLS active probe. ipv4-address Not Specified
    source-ip6 Source IPv6 address used for TLS active probe. ipv6-address Not Specified
    Previous
    Next

    ips global

    Configure IPS global parameter.

      config ips global
      Description: Configure IPS global parameter.
      set fail-open [enable|disable]
      set database [regular|extended]
      set traffic-submit [enable|disable]
      set anomaly-mode [periodical|continuous]
      set session-limit-mode [accurate|heuristic]
      set intelligent-mode [enable|disable]
      set socket-size {integer}
      set engine-count {integer}
      set sync-session-ttl [enable|disable]
      set np-accel-mode [none|basic]
      set ips-reserve-cpu [disable|enable]
      set cp-accel-mode [none|basic|...]
      set skype-client-public-ipaddr {var-string}
      set deep-app-insp-timeout {integer}
      set deep-app-insp-db-limit {integer}
      set exclude-signatures [none|industrial]
      set packet-log-queue-depth {integer}
      config tls-active-probe
          Description: TLS active probe configuration.
          set interface-select-method [auto|sdwan|...]
          set interface {string}
          set vdom {string}
          set source-ip {ipv4-address}
          set source-ip6 {ipv6-address}
      end
  end

    config ips global

    Parameter Name Description Type Size
    fail-open Enable to allow traffic if the IPS process crashes. Default is disable and IPS traffic is blocked when the IPS process crashes.
    enable: Enable IPS fail open.
    disable: Disable IPS fail open.
    		 option -
    database Regular or extended IPS database. Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
    regular: IPS regular database package.
    extended: IPS extended database package.
    		 option -
    traffic-submit Enable/disable submitting attack data found by this FortiGate to FortiGuard.
    enable: Enable traffic submit.
    disable: Disable traffic submit.
    		 option -
    anomaly-mode Global blocking mode for rate-based anomalies.
    periodical: After an anomaly is detected, allow the number of packets per second according to the anomaly configuration.
    continuous: Block packets once an anomaly is detected. Overrides individual anomaly settings.
    		 option -
    session-limit-mode Method of counting concurrent sessions used by session limit anomalies. Choose between greater accuracy (accurate) or improved performance (heuristics).
    accurate: Accurately count concurrent sessions, demands more resources.
    heuristic: Use heuristics to estimate the number of concurrent sessions. Acceptable in most cases.
    		 option -
    intelligent-mode Enable/disable IPS adaptive scanning (intelligent mode). Intelligent mode optimizes the scanning method for the type of traffic.
    enable: Enable intelligent scan mode.
    disable: Disable intelligent scan mode.
    		 option -
    socket-size IPS socket buffer size. Max and default value depend on available memory. Can be changed to tune performance. integer Minimum value: 0 Maximum value: 256
    engine-count Number of IPS engines running. If set to the default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. integer Minimum value: 0 Maximum value: 255
    sync-session-ttl Enable/disable use of kernel session TTL for IPS sessions.
    enable: Enable use of kernel session TTL for IPS sessions.
    disable: Disable use of kernel session TTL for IPS sessions.
    		 option -
    np-accel-mode Acceleration mode for IPS processing by NPx processors.
    none: NPx acceleration disabled.
    basic: NPx acceleration enabled.
    		 option -
    ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other than CPU 0
    disable: Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all CPUs).
    enable: Enable IPS daemon's use of CPUs other than CPU 0.
    		 option -
    cp-accel-mode IPS Pattern matching acceleration/offloading to CPx processors.
    none: CPx acceleration/offloading disabled.
    basic: Offload basic pattern matching to CPx processors.
    advanced: Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.
    		 option -
    skype-client-public-ipaddr Public IP addresses of your network that receive Skype sessions. Helps identify Skype sessions. Separate IP addresses with commas. var-string Maximum length: 255
    deep-app-insp-timeout Timeout for Deep application inspection (1 - 2147483647 sec., 0 = use recommended setting). integer Minimum value: 0 Maximum value: 2147483647
    deep-app-insp-db-limit Limit on number of entries in deep application inspection database (1 - 2147483647, 0 = use recommended setting) integer Minimum value: 0 Maximum value: 2147483647
    exclude-signatures Excluded signatures.
    none: No signatures excluded.
    industrial: Exclude industrial signatures.
    		 option -
    packet-log-queue-depth Packet/pcap log queue depth per IPS engine. integer Minimum value: 128 Maximum value: 4096

    config tls-active-probe

    Parameter Name Description Type Size
    interface-select-method Specify how to select outgoing interface to reach server.
    auto: Set outgoing interface automatically.
    sdwan: Set outgoing interface by SD-WAN or policy routing rules.
    specify: Set outgoing interface manually.
    		 option -
    interface Specify outgoing interface to reach server. string Maximum length: 15
    vdom Virtual domain name for TLS active probe. string Maximum length: 31
    source-ip Source IP address used for TLS active probe. ipv4-address Not Specified
    source-ip6 Source IPv6 address used for TLS active probe. ipv6-address Not Specified
    Previous
    Next