Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gpap_FTNT
Staff
Staff

Created on ‎07-27-2017 03:39 AM Edited on ‎02-05-2025 10:03 PM By Moderator

Article Id 190610

Technical Tip: Exempting IP addresses from IPS sensor scanning

Description


This article describes how to exempt a source/destination IP to be exempted from a particular IPS signature.

 

Scope

 

FortiGate.

Solution

 
From CLI:
IP exemptions can only be added to the IPS profile if the signatures are explicitly mentioned.
 
config ips sensor
    edit <sensor name>
        config entries
            edit <rule num>
                config exempt-ip
                    edit <exempt-ip-rule-id>
                        set src-ip <ip4mask>
                    next
                    edit <exempt-ip-rule-id-1>
                        set dst-ip <ip4mask>
                end
            next
        end
    next
end

Multiple IP exemptions can be added by adding more exempt-ip-rule-id's.
 
From GUI:
Go to the IPS sensor -> Add signatures (under IPS signatures), select the signature, and Edit IP exemptions.

Refer to the following screenshot:
athirat_FD40588_tn_FD40588-1.jpg

For more information refer to the appropriate FortiOS CLI Reference guide in the Fortinet Document Library.
 
Note:
While the 'source' and 'destination' IPs are configured, they should be configured depending on the direction of the attack.
e.g.: If in the IPS logs the destination is the server and the source is the host, in the configuration of the exemption the source should be the server and the destination should be the host.
 
 
date=2019-10-27 time=18:44:54 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1572198294024252859 tz="+0100" severity="info" srcip=192.168.209.45 srccountry="Reserved" dstip=213.211.198.58 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=8180 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=41300 dstport=80 hostname="2016.eicar.org" url="/download/eicar.com" direction="incoming" attackid=29844 profile="protect_client" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=1244883271 msg="file_transfer: Eicar.Virus.Test.File,"
 
To exempt the host, configure the following:
 
config ips sensor
    edit <sensor_name>
        config entries
            edit 2
                set rule 29844
                set status enable
                set action block
                    config exempt-ip
                        edit 1
                            set src-ip 213.211.198.58 255.255.255.255
                            set dst-ip 192.168.209.45 255.255.255.255
                        next
end
 

Related documents:

Configuring an IPS sensor

Exempting specific subnet or IP from all IPS signatures or specific IPS signature from GUI

18349
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.