ips : custom
 
custom
Create custom IPS signatures and add them to IPS sensors.
Custom signatures provide the power and flexibility to customize FortiGate Intrusion Protection for diverse network environments. The FortiGate predefined signatures cover common attacks. If an unusual or specialized application or an uncommon platform is being used, add custom signatures based on the security alerts released by the application and platform vendors.
Use custom signatures to block or allow specific traffic.
The custom signature settings are configured when it is defined as a signature override in an IPS sensor. This way, a single custom signature can be used in multiple sensors with different settings in each.
 
Custom signatures are an advanced feature. This document assumes the user has previous experience writing intrusion detection signatures.
Syntax
config ips custom
edit <<sig_str>>
set action {block | pass}
set application [<app1_int> <app2_int> ...]
set comment <comment_str>
set location {client | server}
set log {disable | enable}
set log-packet {disable | enable}
set os {all | bsd | linux | macos | other | solaris | windows}
set protocol [<pro1_int> <pro2_int> ...]
set severity {info | low | medium | high | critical}
set action {block | pass}
set status {disable | enable}
end
Variable
Description
Default
<sig_str>
The name of the custom signature.
 
action {block | pass}
Pass or block applications that have not been added to this application list.
pass
application [<app1_int> <app2_int> ...]
Enter one or more application integers to specify applications.
Enter set application ? to list all application integers in the currently configured category.
No default.
comment <comment_str>
Enter a description of the custom IPS profile. This description will appear in the profile list. Descriptions with spaces must be enclosed in quotes.
No default.
location {client | server}
Select whether the server or client will be protected.
No default.
log {disable | enable}
Enable or disable logging for IPS.
enable
log-packet {disable | enable}
Enable or disable packet logging for an application in the IPS control list
disable
os {all | bsd | linux | macos | other | solaris | windows}
Specify the operating systems to be protected. All will
include all operating systems. Other will include all
unlisted operating systems.
No default.
protocol [<pro1_int> <pro2_int> ...]
Specify the protocol(s) that the application uses. Enter one or more protocols separated by spaces. For a list of protocols, enter set protocol ?.
No default.
severity {info | low | medium | high | critical}
Specify the severity level or levels.
Specity all to include all severity levels.
No default.
signature <signature_str>
Enter the custom signature. The signature must be enclosed in single quotes.
No default.
status {disable | enable}
Specify the status of the signatures included in the filter.
enable will enable the filter.
disable will disable the filter.
default will enable the filter and only use the filters with a default status of enable. Filters with a default status of disable will not be used.
default