Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cborgato_FTNT
Staff
Staff

Created on ‎09-22-2016 06:00 AM Edited on ‎08-19-2025 08:06 AM By Community Manager

Article Id 196462

Technical Tip: IPS Intelligent scan mode (intelligent-mode)

Description

 

From FortiOS v5.2, the IPS global setting ignore-session-bytes has been removed.  A new adaptive detection method has been created instead:  intelligent-mode based on file types and HTTP header characteristics so that exploits carried over after certain traffic amount can still be detected.

By default (intelligent-mode enable), the IPS engine does adaptive scanning in order to speed up the scan job and starts to offload the traffic sooner.

In case it is necessary to scan all the bytes, intelligent-mode can be disabled.

This article shows how ignore-session-bytes was used in v5.0 and earlier releases, and how intelligent-mode is used on v5.2 and the latest releases.
 
Scope
 
FortiGate.


Solution

 

V5.0:

 

In v5.0 with ignore-session-bytes it is possible to set the number of bytes after which the session is ignored by the IPS engine.  If the attack comes after the bytes scanned by IPS engine, it will not be detected.  The default is 204,800 bytes.

 

config ips global

    set ignore-session-bytes 204800

end


V5.2 and v5.4:

Starting with V5.2 with intelligent-mode the IPS engine does adaptive scanning so that for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel.  It is a balanced method which could cover all known exploits.  The default is enable.
 
config ips global
    set intelligent-mode enable
end
 
When disabled, the IPS engine scans every single byte.  Compared with the pure number ignore-session-bytes, the intelligent-mode gives more improvements without violating original settings.
 

V7.0.0 and later:

The configuration to enable/disable the intelligent mode has been removed from the CLI.

 

Note: Starting from FortiOS version 7.6.3, the IPS engine functionality has been enhanced to support the detection of industrial Ethernet protocols such as LLDP, GOOSE, EtherCAT, and PROFINET RT. The IPS sensor detects the ethernet protocols and device detection log ethernet devices at layer 2. For more information, see Support Ethernet layer protocols in the IPS engine - FortiGate 7.6.0 new features.

 

Related documents

Technical Tip: IPS anomaly mode settings for DOS sensor behaviour when action is set to ‘block’

Changes in CLI

11771
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.