ips : sensor
 
sensor
The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override rules. Each filter specifies a number of signature attributes and all signatures matching all the specified attributes are included in the filter. Override rules allow you to override the settings of individual signatures.
Syntax
config ips sensor
edit <sensor_str>
get
set comment <comment_str>
config entries
edit <filter_int>
set location {all | client | server}
set severity {all | info low medium high critical}
set protocol <protocol_str>
set os {all | other windows linux bsd solaris macos}
set application <app_str>
set status {default | enable | disable}
set tags <tags_str>
set log {default | enable | disable}
set log-attack-context {enable | disable}
set log-packet {disable | enable}
set action {block | default | pass | reject}
set quarantine {attacker | none}
set quarantine-expiry <minutes_int>
set quarantine-log {disable | enable}
set rate-count <count_int>
set rate-duration <seconds_int>
set rate-mode <continuous | periodical>
set rate-track <dest‑ip | dhcp‑client‑mac | dns‑domain | none | src‑ip>
set rule [<rule1_int> <rule2_int> ... ]
get
config exempt-ip
edit <exempt-ip_id>
set dst-ip <ip4mask>
set src-ip <ip4mask>
end
end
end
 
Variable
Description
Default
<sensor_str>
Enter the name of an IPS sensor. For a list of the IPS sensors, enter ‘?’ instead of an IPS sensor name. Enter a new name to create a sensor.
 
comment <comment_str>
Enter a description of the IPS sensor. This description will appear in the ISP sensor list. Descriptions with spaces must be enclosed in quotes.
 
<filter_int>
Enter the ID number of a filter. For a list of the IDs in the IPS sensor, enter ‘?’ instead of an ID. Enter a new ID to create a filter.
 
location {all | client | server}
Specify the type of system to be protected.
client selects signatures for attacks against client computers.
server selects signatures for attacks against servers.
all selects both client and server signatures.
all
severity {all | info low medium high critical}
Specify the severity level or levels.
Specify all to include all severity levels.
all
protocol <protocol_str>
Specify the protocols to be examined. Enter ‘?’ to display a list of the available protocols. All will include all protocols. Other will include all unlisted protocols.
all
os {all | other windows linux bsd solaris macos}
Specify the operating systems to be protected. All will include all operating systems. Other will include all unlisted operating systems.
all
application <app_str>
Specify the applications to be protected. Enter ‘?’ to display a list of the available applications. All will include all applications. Other will include all unlisted applications.
all
status {default | enable | disable}
Specify the status of the signatures included in the filter.
enable will enable the filter.
disable will disable the filter.
default will enable the filter and only use the filters with a default status of enable. Filters with a default status of disable will not be used.
default
tags <tags_str>
Enter object tags applied to this filter. Separate tag names with spaces.
null
log {default | enable | disable}
Specify the logging status of the signatures included in the filter.
enable will enable logging.
disable will disable logging.
default will enable logging for only the filters with a default logging status of enable. Filters with a default logging status of disable will not be logged.
default
log-attack-context {enable | disable}
Enable or disable logging of attack context: URI buffer, header buffer, body buffer, packet buffer.
disable
log-packet {disable | enable}
When enabled, packet logging will save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use. This feature is only available in FortiGate units with internal hard drives.
disable
action {block | default | pass | reject}
Specify what action is taken with traffic in which signatures ar detected.
block will drop the session with the offending traffic.
pass will allow the traffic.
reject will reset the session.
default will either pass or drop matching traffic, depending on the default action of each signature.
default
quarantine {attacker | none}
To prevent the attacker from continuing to attack the FortiGate unit, you can quarantine the attacker to the banned user list in one of three ways.
Enter attacker to block all traffic sent from the attacker’s IP address. The attacker’s IP address is also added to the banned user list. The target’s address is not affected.
Enter none to disable the adding of addresses to the quarantine but the current DoS sensor.
none
quarantine-expiry <minutes_int>
Enter the duration of the quarantine in minutes. Range 0 to 259200.
5
quarantine-log {disable | enable}
Enable or disable writing a log message when a user is quarantined.
 
rate-count <count_int>
Set the threshold (number of signature matches) that triggers the sensor. Range 1 to 65 535. 0 disables.
0
rate-duration <seconds_int>
Set the duration over which the rate-count is measured. Use rate-mode to determine how the duration is applied. Range 1 to 65 535.
60
rate-mode <continuous | periodical>
Select how rate-count is applied:
continuousaction is applied as soon as rate‑count is reached
periodicalaction is applied when rate-count is reached during rate-duration period
continuous
rate-track <dest‑ip | dhcp‑client‑mac | dns‑domain | none | src‑ip>
Select which protocol field within the packet to track.
none
rule [<rule1_int> <rule2_int> ... ]
To add predefined or custom IPS signatures, specify the rule IDs of the signatures.
null
get fields
get
- when used in edit <sensor_str>
This get command returns the following information about the sensor:
name is the name of this sensor.
comment is the comment entered for this sensor.
count-enabled is the number of enabled signatures in this IPS sensor. Disabled signatures are not included.
count-pass is the number of enabled signatures configured with the pass action.
count-block is the number of enabled signatures configured with the block action.
count-reset is the number of enabled signatures configured with the reset action.
filter lists the filters in this IPS sensor.
override lists the overrides in the IPS sensor.
 
get
- when used in edit <filter_int>
This get command returns the following information about the filter:
name is the name of this filter.
count is the total number of signatures in this filter. Both enabled and disabled signatures are included.
location is type of system targeted by the attack. The locations are client and server.
severity is the relative importance of the signature, from info to critical.
protocol is the type of traffic to which the signature applies. Examples include HTTP, POP3, H323, and DNS.
os is the operating systems to which the signature applies.
application is the program affected by the signature.
status displays whether the signature state is enabled, disabled, or default.
log displays the logging status of the signatures included in the filter. Logging can be set to enabled, disabled, or default.
action displays what the FortiGate does with traffic containing a signature. The action can be set to pass all, block all, reset all, or default.
quarantine displays how the FortiGate unit will quarantine attackers.
 
config exempt-ip fields
This subcommand is available after rule has been set.
edit <exempt-ip_id>
Enter the ID number of an exempt-ip entry. For a list of the exempt-ip entries in the IPS sensor, enter ‘?’ instead of an ID. Enter a new ID to create a new exempt-ip.
 
dst-ip <ip4mask>
Enter the destination IP address and netmask to exempt.
0.0.0.0 0.0.0.0
src-ip <ip4mask>
Enter the source IP address and netmask to exempt.
0.0.0.0 0.0.0.0