FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
esalija
Staff
Staff
Article Id 247117
Description This article describes how to allow specific IPS app signatures in case other IPS alerts are needed.
Scope FortiGate all firmware.
It is possible to allow IPS traffic in the IPS profile by changing the action of the profile.
Solution

To allow IPS signature traffic, it is first necessary to check log messages to find out more about the IPS log details, like IPS name, rule number, etc.

 

To check log details, go to Log & Report -> Intrusion Prevention, and select log entry and Details in the right corner.

 

esalija_0-1677248738657.png

 

In the Intrusion Prevention section take notes of:

 

Profile Name: EICAR
Attack Name: Eicar.Virus.Test.File
Attack ID: 29844

 

Open CLI and execute:


FGT # config ips sensor
FGT (sensor) # edit EICAR     <- IPS Profile name activated on Firewall policy (in this example EICAR).
FGT (EICAR) # show
config ips sensor
    edit "EICAR"
        config entries
            edit 1
                set rule 29844
                set status enable
                set log enable
                set log-packet enable
                set action block
            next
        end
    next
end


FGT (EICAR) # config entries   <- Enter config section and edit entry of interest.
FGT (entries) # edit 1
FGT (1) # set action pass
FGT (1) # next
FGT (entries) # end
FGT (EICAR) # end

 

After allowing the traffic, when the user tries to navigate and download a test file.