Technical Tip: Allow specific IPS App Signature

esalija · ‎02-24-2023

Description

This article describes how to allow specific IPS app signatures in case other IPS alerts are needed.

Scope

FortiGate all firmware.
It is possible to allow IPS traffic in the IPS profile by changing the action of the profile.

Solution

To allow IPS signature traffic, it is first necessary to check log messages to find out more about the IPS log details, like IPS name, rule number, etc.

To check log details, go to Log & Report -> Intrusion Prevention, and select log entry and Details in the right corner.

In the Intrusion Prevention section take notes of:

Profile Name: EICAR
Attack Name: Eicar.Virus.Test.File
Attack ID: 29844

Open CLI and execute:

FGT # config ips sensor
FGT (sensor) # edit EICAR    <- IPS Profile name activated on Firewall policy (in this example EICAR).
FGT (EICAR) # show
config ips sensor
    edit "EICAR"
        config entries
            edit 1
                set rule 29844
                set status enable
                set log enable
                set log-packet enable
                set action block
            next
        end
    next
end

FGT (EICAR) # config entries <- Enter config section and edit entry of interest.
FGT (entries) # edit 1
FGT (1) # set action pass
FGT (1) # next
FGT (entries) # end
FGT (EICAR) # end

After allowing the traffic, when the user tries to navigate and download a test file.