Meaning of "Set status" in a sensor's rule (ips)

Forum|Forum|10 years ago
October 16, 2015
2 replies
6598 views

hello, does any one knows the meaning of status of a filter inside a sensor in ips? it can be configured as set status "disabled, enabled and default". Enable/disable makes sense, as you are disabling checking the signatures inside that filter for debugging or to check something... but the documentation states that set status default will use the default status in the signatureitself, but this field is not included.

you can configure status by cli (not gui) or frm fortimanager.

does any one know the difference?

regards

FlavioB

New Member

Hi Jorge,

I've run into this after upgrading from 5.2.10 to 5.4.4: in the CLI I got "set status enabled", but as soon as I clicked "Apply" in the GUI, in the CLI the "set status" line disappeared (getting thus back to "default" value).

Did you ever find out, what that really means?

Thanks,

F.

hmtay_FTNT

Staff

Hello Flavio, Jorge,

The "set status <>" syntax that is used in "config ips sensor" is used together with the "set action <>". In our IPS signatures, we have default actions set in our database. Signatures that have high False Positive risk has a "pass" action and "disable" status set by default. On the other hand, signatures that have low or close to none False Positive risk has a "enable" status by default and the action varies based on the risk.

You can check the default action of the signatures by executing the following CLI commands:

config ips rule <rule name>

get

HoMing

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded