Description
This article describes how to exempt a specific signature from an IPS filter profile and how it is possible to remove one definition from scanning.
In certain cases, exempting a specific signature from an IPS filter profile may be necessary.
For example, if the local servers are mistakenly triggering a signature, it is not possible to add all IPs in the list exempt from scanning, nor is it desirable to do so.
Scope
The default IPS filter is configured with the following filter: Medium, High, Critical – and these IPS signatures have its default values (most of them block).
It is not possible to change the default stored value for a signature, but in a custom filter, the action can be different.
Note that the 'default' or 'g-default' profiles cannot be modified.
Create the own custom IPS profile from scratch or by cloning an existing one.
In the following screen, it is possible to see this signature and its default Action, which is 'Block'.
Solution
To obtain this signature to be excluded (for example not to include it in scanning since it is absolutely certain that this is legitimate traffic), it is necessary to create a custom filter and change the action:
Both filters are now visible in the IPS profile, the newly added one with 'Allow' action:
But this means the signature in question is present twice: once in 'Critical' severity filter, with action 'Block', and once more in the custom filter, with a custom action ('Allow').
Which one is used in this case?
The first match with 'Block' action (either manually configured or Default) takes priority and blocks the traffic. Any 'Allow' action will continue the search in the remaining filters.
Simply adding the signature to the IPS profile with a custom action 'Block' is enough only when wanting to change the signature default action from 'Allow' to 'Block'.
But, if this filtered signature is placed on top of the severity filters, having the action 'Allow’, then the other filters are still searched, and the signature will be found again. If this second time the action is 'Block' = traffic will be blocked. So, even if there is an Allow action on top of the list for a specific signature, the traffic will still be blocked if the signature is present again with a Block action after. Only the 'Block' action breaks the search loop.
The solution is to add a custom filter to include all other signatures but excludes this one because is still necessary to use all the other IPS signatures rated as critical severity in the profile.
The end result:
Note:
The IPS filtering and selection of signatures differs between the FortiOS versions.
The example above is done in FortiOS 6.2, and it is the same for in FortiOS 6.4 and FortiOS 7.0
FortiOS 6.0 and each of the prior versions have a slightly different IPS selection sequence and behavior.
Related Articles:
Technical Note: Exempting IP addresses from IPS sensor scanning
