Technical Tip: Disable specific IPS Signature logging

FortiGate.
It is possible to disable logging for specific IPS signatures when the IPS profile is enabled and you want to get rid of unnecessary logging, e.g. false positive attacks.

Caution :
To disable logging for specific IPS signatures, the action by the signatures needs to be 'passed' by either configuration or default action.
If the action is changed from 'drop' by default to 'pass', the traffic passed by the configuration needs to be confirmed as not a threat.

To disable IPS signature logging, check the IPS log details and identify the Attack ID.

To check IPS log details and identify Attack ID, go to Log & Report -> Intrusion Prevention, and select log entry and Details in the upper right corner.

The attack ID is '14757' in this example:

Open CLI and execute the following command:

FGT (sensor) # edit test-14757<----- IPS Profile name activated on Firewall policy ( in this example 'test-14757').
FGT (test-14757) # show
config ips sensor
    edit "test-14757"
        config entries <----- Enter config section and edit entry of interest.
            edit 1
                set rule 14757
            next
        end
    next
end
FGT (test-14757) # config entries
FGT (entries) # edit 1
FGT (1) # set log disable
FGT (1) # set action pass
FGT (1) # end
FGT (test-14757) # show
config ips sensor
    edit "test-14757"
        config entries
            edit 1
                set rule 14757
                    set log disable <----- Change log from 'enable' to 'disable'.
                    set action pass <----- Change action from 'default' to 'pass'.
                next
            end
       next
    end
FGT (test-14757) # end
FGT #

 After disabling the log, the log for Attack ID 14757 will not be generated anymore.