Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎11-02-2021 07:09 AM

Technical Tip: Exempting (Allow) one single IPS signature for IPS sensor scanning

Description
In certain cases, it may be necessary to exempt a specific signature from an IPS filter profile. 
For example, if the local servers are mistakenly triggering a signature, and it is not possible to add all IPs in the list exempt from scanning, nor desirable to do so.

This article describes this condition and how it is possible to remove one definition from scanning.

Scope
The default IPS filter is configured with the following filter: Medium, High, Critical – and these IPS signatures have their default values (most of them block).

It is not possible to change the default stored value for a signature, but in a custom filter, the action can be different.

Note that the 'default' or 'g-default' profiles cannot be modified. 
Create the own custom IPS profile from scratch or by cloning an existing one.

In the following screen it is possible to see this signature and its default Action, which is 'Block'.

Solution


To obtain this signature to be excluded (for example not to include it in scanning since it is absolutely certain that this is legitimate traffic), it is necessay to create a custom filter and change the action:





Both filters are now visibile in the IPS profile, the newly added one with 'Allow' action:




But this means the signature in question is present twice: once in 'Critical' severity filter, with action 'Block', and once more in the custom filter, with a custom action ('Allow').

Which one is used in this case? The first match with 'Block' action configured takes priority and blocks the traffic. 
Simply adding the signature to the IPS profile with a custom action 'Block' is enough only when we want to change the signature default action from 'Allow' to 'Block'. 

But, if  this filtered signature is dragged on top of the severity filters, the action is 'Allow’, and the other filters are still searched, and the signature found again this time with the default action 'Block'.

The solution is to add a custom filter to include all other signatures but exclude this one because is is still necessary to use all the other IPS signatures rated as critical severity in the profile. 




The end result:




Note.
The IPS filtering and selection of signatures differs between the FortiOS versions. 
The example above is done in FortiOS 6.2, and it is the same for in FortiOS 6.4 and FortiOS 7.0
FortiOS 6.0 and each of the prior versions, have a slightly different IPS selection sequence and behavior.

Related Articles

Technical Note: Exempting IP addresses from IPS sensor scanning

Technical Tip: How to Configure the FortiGate to Block an IPS Attack and change the default IPS acti...

Labels:
2207
0 Kudos
Contributors

Contact Us