The FortiGate CLI commands below are valuable tools for configuring IPS global settings.

config ips global

    set database extended

end

config ips global

    set exclude-signatures none

end 

Enabling the extended IPS database enhances threat detection capabilities, especially against emerging threats.

Specifying 'none' for signature exclusions ensures comprehensive coverage and compliance with regulatory requirements.

config ips global
    set database extended <----- Database package can be 'regular' or 'extended'.
    set exclude-signatures none <----- The Default option would be ot, which means ot signatures are excluded. Set the option to none.
end

Note 1:

Before v7.4.1, the OT signatures were included in Industrial Attack Definitions. Previously, the commands were:

config ips global

    set exclude-signatures {none | industrial}

end

Note 2:

The above commands can also be used for any missing Application Control signatures on FortiGate.

For Instance, IEC.60870-5-104 signature can be visible under Application Control by configuring changes. 

Command 1:

config ips global

    set database extended

end

The 'set database extended' command affects the configuration of the IPS database on the FortiGate.

• Database Extension: This command extends the IPS database to include additional signatures and threat intelligence data. By enabling this option, FortiGate will have access to a more comprehensive database of known threats and vulnerabilities, enhancing the network's security.
• Enhanced Threat Detection: Enabling the extended IPS database ensures that the FortiGate can identify and block a broader range of threats, including the latest exploits and attack vectors. This is especially useful in environments where security is a top priority.
• Advanced Protection: The extended IPS database is particularly valuable for organizations that require advanced protection against emerging threats and vulnerabilities. It helps maintain a proactive security posture by staying updated with the latest threat intelligence.

Command 2:

config ips global

    set exclude-signatures none

end

The 'set exclude-signatures none' command impacts the IPS global configuration by specifying the exclusion of specific IPS signatures.

• Signature Exclusion: This command configures the IPS to include all signatures without any exclusions. By setting 'none', it ensures that no signatures are excluded from detection.
• Full Signature Coverage: In situations to have comprehensive coverage and detection of all known threats and vulnerabilities are required, specifying 'none' ensures that the IPS does not exclude any signatures.
• Compliance and Regulatory Requirements: Some industries and organizations have strict compliance and regulatory requirements that mandate comprehensive security coverage. Using 'none' helps meet these requirements by ensuring that no signatures are omitted.

Note:
This document, Threat Encyclopedia, can be used to verify if the signature is covered by both regular and extended databases or neither of them.

Related articles:

Troubleshooting Tip: Using the FortiOS policy based packet capture
Troubleshooting Tip: Identify the IPS signature matching context