Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
glebras_FTNT
Staff
Staff

Created on ‎05-09-2016 08:27 AM Edited on ‎07-21-2025 09:16 PM By Community Manager

Article Id 190036

Technical Tip: Applying IPS sensors to interface-policy

Description

 
This article describes the steps to apply an IPS sensor to a FortiGate interface.    
 
Scope
 
FortiGate.


Solution

 

Interface policies are implemented before the 'security' policies and are only flow-based. This feature allows the attachment of a set of IPS policies with the interface instead of the forwarding path, so packets can be delivered to IPS before entering firewall.

IPS sensors can be assigned to an interface policy.  Both incoming and outgoing packets are inspected by the IPS sensor (signature). It is recommended to apply the IPS sensors closer to the source so the packets can get inspected at the earliest stage. 

CLI Configuration:
This is an example of an interface policy on port1 with a custom IPS sensor named 'Custom.IPS.Sensor':
 
config firewall interface-policy
    edit 1
        set interface "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set ips-sensor-status enable
        set ips-sensor "Custom.IPS.Sensor"
    next
end
 
For IPv6 addresses, interface-policy6 should be used instead.

Note:
Enabling the interface policy will disable traffic offload on that interface.
7699
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.