Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gpap_FTNT
Staff & Editor
Staff & Editor

Created on ‎07-27-2017 03:39 AM Edited on ‎04-10-2025 10:57 AM By Moderator

Article Id 190610

Technical Tip: Exempting IP addresses from IPS sensor scanning

Description


This article describes how to exempt a source/destination IP to be exempted from a particular IPS signature.

 

Scope

 

FortiGate.

Solution

 
Applying IP Exemptions from the CLI:
Note: IP exemptions can only be added to the IPS profile when using Signature-type entry. This requires setting the matching IPS signature ID(s) within the IPS entry first, otherwise the IP exemption section is not visible:
 
config ips sensor
edit <sensor name>
config entries
edit <rule num>
set rule <signature_id> <----- Must be set first before config exempt-ip becomes available.
config exempt-ip
edit <exempt-ip-rule-id>
set src-ip <class_ip&net_netmask> <----- Can be in CIDR format (10.0.0.0/24) or subnet mask format (10.0.0.0 255.255.255.0).
set dst-ip <class_ip&net_netmask>
next
end
next
end
end

Multiple IP exemptions can be added by adding more exempt-ip-rule-id's.
 
Applying IP Exemptions from the GUI:
 
  1. Navigate to Security Profiles -> Intrusion Prevention, edit or create an IPS sensor, then select Create New under IPS Signatures and Filters.
  2. From there, change the Type to Signature, then select Edit IP Exemptions. Refer to the screenshots below for visual guidance.

 

Edit IP Exemptions 01.png

 

Edit IP Exemptions 02.png

 

 

 
Note:
While the 'source' and 'destination' IPs are configured, they should be configured depending on the direction of the attack.
e.g. If the destination is the server and the source is the host in the IPS logs, set up exemption configuration so the source is the server and the destination is the host.
 
 
date=2019-10-27 time=18:44:54 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1572198294024252859 tz="+0100" severity="info" srcip=192.168.209.45 srccountry="Reserved" dstip=213.211.198.58 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=8180 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=41300 dstport=80 hostname="2016.eicar.org" url="/download/eicar.com" direction="incoming" attackid=29844 profile="protect_client" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=1244883271 msg="file_transfer: Eicar.Virus.Test.File,"
 
To exempt the host, configure the following:
 
config ips sensor
edit <sensor_name>
config entries
edit 2
set rule 29844
set status enable
set action block
config exempt-ip
edit 1
set src-ip 213.211.198.58 255.255.255.255
set dst-ip 192.168.209.45 255.255.255.255
next
end
next
end
end
 

Related documents:

21148
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.