Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
xshkurti
Staff
Staff

Created on ‎11-29-2022 09:37 PM Edited on ‎05-11-2025 03:12 PM By Moderator

Article Id 231384

Technical Tip: Disable specific IPS Signature logging

Description This article describes how to disable logging for specific IPS signatures within an IPS profile. This can be useful if an administrator wants to reduce unnecessary logging of IPS events in-general (for example, reducing logging of monitored/allowed traffic).
Scope

FortiGate.
Solution

Important Note before starting:

 

IPS rules with the block action are always logged, regardless of what the log option is set to in the IPS rule configuration (i.e. it is expected behavior that traffic dropped by an IPS signature will always result in an IPS event log being generated).

 

With that in mind, the IPS rule must be configured with set action pass (i.e. explicitly allowing traffic matching a signature/filters) or set action default (as long as the IPS Signature itself has a default action of Pass). It is also important that traffic matching these signatures are confirmed to be not a threat (e.g. known false-positives that are safe to disable logging for).

 

Disabling logging for specific IPS Signatures

To disable IPS signature logging, start by checking existing IPS log details and identifying the Attack ID of the IPS signature.

 

To do this, navigate to Log & Report -> Security Events -> Intrusion Prevention, select an appropriate log entry, then either double-click or select the Details button in the upper-right corner to view the log details. For example, in the following screenshot the IPS attack ID matching this traffic is '14757':

 

gui-log&report-intrusionprevention-marked.png

 

Next, open the CLI and modify the IPS sensor using the following commands:

 

config ips sensor

edit <name>

config entries

edit <id>

set rule <attack_id>
set status enable
set log [disable|enable]
set action pass

next

end

next

end

 

For example, the following example will modify the 'ips_test_14757' IPS sensor and add/modify rule #1 to pass matching traffic without generating a log entry:

 

config ips sensor

edit ips_test_14757 <----- Example name of IPS sensor.

config entries

edit 1 <----- ID of IPS signature/filter rule.

set rule 14757 <----- Attack ID of the IPS signature.
set status enable
set log disable <----- Set action to disable.
set action pass

next

end

next

end

 

Note that logging can also be controlled from the GUI. The following shows GUI actions and their CLI equivalents:

  • Allow: set action pass and set log disable.
  • Monitor: set action pass and set log enable.

 After disabling logging, traffic matching Attack ID 14757 will no longer generate an IPS Event Log.

 

Side Note regarding Automation Stitches:

The 'IPS Event' Automation-Trigger will trigger whenever an IPS signature event is logged (blocked or monitored). Keep this in mind if there is false-positive traffic hitting a block rule, as it could result in a significant number of logs/alerts being generated.
3180
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.