firewall : sniffer
 
sniffer
Use this command to configure sniffer policies.
Syntax
config firewall sniffer
edit <policy_id>
set application-list-status {enable | disable}
set application_list <app_list_str>
set av-profile-status {enable | disable}
set av-profile <string>
set client-reputation {enable | disable}
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set dstaddr <dstaddr_ipv4>
set interface <int_str>
set ips-dos-sensor {enable | disable}
set ips-sensor-status {enable | disable}
set ips-sensor <sensor_str>
set ipv6 {enable | disable}
set logtraffic {all | utm | disable}
set logtraffic-app {enable | disable}
set max-packet-count <int>
set non-ip {enable | disable}
set protocol <protocol_list>
set srcaddr <srcaddr_ipv4>
set status {enable | disable}
set vlan <vlan_list>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
config anomaly
edit <anomaly_str>
set status {enable | disable}
set log {enable | disable}
set action {block | pass}
set quarantine {attacker | both | interface | none}
set quarantine-log {enable | disable}
set threshold <threshold_int>
end
end
Variable
Description
Default
application-list-status {enable | disable}
Enable to have the FortiGate unit apply an application black/white list to matching network traffic.
disable
application_list <app_list_str>
Enter the name of the application black/white list the FortiGate unit uses when examining network traffic.
This option is available only when application-list-status is set to enable.
 
av-profile-status {enable | disable}
Enable to have the FortiGate unit examine network traffic for virus signatures.
disable
av-profile <string>
Select a configured antivirus profile from the list.
This option is available only when av-profile-status is enabled.
 
client-reputation {enable | disable}
Enable or disable the client reputation feature in this sniffer.
disable
dlp-sensor-status {enable | disable}
Enable to have the FortiGate unit examine network traffic for data leaks.
disable
dlp-sensor <string>
Select one of the configured DLP sensors.
This option is only available when dlp-sensor-status is enabled.
 
dstaddr <dstaddr_ipv4>
Enter an address or address range to limit traffic monitoring to network traffic sent to the specified address or range.
 
interface <int_str>
The interface or zone to be monitored.
 
ips-dos-sensor {enable | disable}
Enable to have the FortiGate unit examine network traffic for DoS sensor violations.
disable
ips-sensor-status {enable | disable}
Enable to have the FortiGate unit examine network traffic for attacks and vulnerabilities.
disable
ips-sensor <sensor_str>
Enter the name of the IPS sensor the FortiGate unit will use when examining network traffic. This option is available only when ips‑sensor‑status is set to enable.
 
ipv6 {enable | disable}
Enable to sniff IPv6 packets.
disable
logtraffic {all | utm | disable}
Choose which traffic logs will be recorded:
all
utm - only UTM-relatedlogs
disable - no logging
utm
logtraffic-app {enable | disable}
Enable to log traffic while application logging is active.
enable
max-packet-count <int>
Enter the maximum number of packets to capture when sniffing. Range 1 to 10 000.
4000
non-ip {enable | disable}
Enable to sniff non-IP traffic.
disable
protocol <protocol_list>
Enter the protocols to sniff.
Null
srcaddr <srcaddr_ipv4>
Enter an address or address range to limit traffic monitoring to network traffic sent from the specified address or range.
 
status {enable | disable}
Enable or disable the sniffer policy. A disabled sniffer policy has no effect on network traffic.
enable
vlan <vlan_list>
Enter the VLANs to sniff.
Null
webfilter-profile-status {enable | disable}
Enable to filter web traffic based on the selected profile.
disable
webfilter-profile <string>
Select a webfilter profile from the list.
This options is available only when webfilter-profile-status is enabled.
 
config anomaly fields
<anomaly_str>
Enter the name of the anomaly you want to configure. Display a list of the available anomaly types by entering ‘?’.
 
status {enable | disable}
Enable or disable the specified anomaly.
disable
log {enable | disable}
Enable or disable logging of the specified anomaly in the sniffer.
disable
action {block | pass}
Select whether to pass or block traffic in which the anomaly is detected.
pass
quarantine {attacker | both | interface | none}
To prevent the attacker from continuing to attack the FortiGate unit, you can quarantine the attacker to the banned user list in one of three ways.
Enter attacker to block all traffic sent from the attacker’s IP address. The attacker’s IP address is also added to the banned user list. The target’s address is not affected.
Enter both to block all traffic sent from the attacker’s IP address to the target (victim’s) IP address. Traffic from the attacker’s IP address to addresses other than the victim’s IP address is allowed. The attacker’s and target’s IP addresses are added to the banned user list as one entry.
Enter interface to block all traffic from connecting to the FortiGate unit interface that received the attack. The interface is added to the banned user list.
Enter none to disable adding addresses to the quarantine.
none
quarantine-log {enable | disable}
Enable NAC quarantine logging. NAC quarantine logging is only available when quarantine is set something other than none.
disable
threshold <threshold_int>
Enter the number of times the specified anomaly must be detected in network traffic before the action is triggered. Range 1 to 2 147 483 647.
varies by anomaly