IPS signature rate count threshold
The IPS signature threshold can allow configuring a signature so that it will not be triggered until a rate count threshold is met. This provides a more controlled recording of attack activity. For example, if multiple login attempts produce a failed result over a short period of time then an alert would be sent and perhaps traffic blocked. This would be a more rational response than sending an alert every time a login failed.
The syntax for this configuration is as follows:
config ips sensor
edit default
config entries
edit <Filter ID number>
set rule <*id>
set rate-count <integer between 1 - 65535>
set rate-duration <integer between 1 - 65535>
The value of the rate-duration is an integer for the time in seconds.
set rate-mode <continuous | periodical>
The rate-mode refers to how the count threshold is met.
If the setting is “continuous”, and the action is set to block, as soon as the rate-count is reached the action is engaged. For example, if the count is 10, as soon as the signature is triggered 10 times the traffic would be blocked.
If the setting is “periodical”, the FortiGate allows up to the value of the rate-count incidents where the signature is triggered during the rate-duration. For example, if the rate count is 100 and the duration is 60, the signature would need to be triggered 100 times in 60 seconds for the action to be engaged.
set rate-track <dest-ip | dhcp-client-mac | dns-domain | none | src-ip>
This setting allow the tracking of one of the protocol fields within the packet.
end
end