Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gpap_FTNT
Staff
Staff

Created on ‎07-27-2017 03:39 AM Edited on ‎12-09-2024 09:55 PM By Community Manager

Article Id 190610

Technical Tip: Exempting IP addresses from IPS sensor scanning

Description


This article describes how to exempt a source/destination IP to be exempted from a particular IPS signature.

 

Scope

 

FortiGate.

Solution

 
From CLI:
IP exemptions can be added in the IPS profile only if the signatures are mentioned explicitly.
 
config ips sensor
    edit <sensor name>
        config entries
       edit <rule num>
                config exempt-ip
                    edit <exempt-ip-rule-id>
                        set src-ip <ip4mask>
                   next
                   edit <exempt-ip-rule-id-1>
                      set dst-ip <ip4mask>
             end
          next
     end
next
end

Multiple IP exemptions can be added by adding more exempt-ip-rule-id's.

 
From GUI:
Go to the IPS sensor -> Add signatures (under IPS signatures), select the signature, and Edit IP exemptions.

Refer to the following screenshot:
athirat_FD40588_tn_FD40588-1.jpg

For more information refer to the appropriate FortiOS CLI Reference guide in the Fortinet Document Library.
 
Note:
While the 'source' and 'destination' IPs are configured, they should be configured depending on the direction of the attack.
e.g.: If in the IPS logs the destination is the server and the source is the host, in the configuration of the exemption the source should be the server and the destination should be the host.
 
 
date=2019-10-27 time=18:44:54 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1572198294024252859 tz="+0100" severity="info" srcip=192.168.209.45 srccountry="Reserved" dstip=213.211.198.58 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=8180 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=41300 dstport=80 hostname="2016.eicar.org" url="/download/eicar.com" direction="incoming" attackid=29844 profile="protect_client" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=1244883271 msg="file_transfer: Eicar.Virus.Test.File,"
 
To exempt the host, configure the following:
 
config ips sensor
    edit <sensor_name>
        config entries
            edit 2
                set rule 29844
                set status enable
                set action block
                config exempt-ip
                    edit 1
                        set src-ip 213.211.198.58 255.255.255.255
                        set dst-ip 192.168.209.45 255.255.255.255
                    next
end
 

Related document:

Configuring an IPS sensor

17586
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.