In FortiGate, the IPS (Intrusion Prevention System) processes are used to detect or block attacks/exploits/known vulnerabilities with signature-based defense.

All flow based security inspection features like IPS, application control, flow based webfilter, flow based antivirus, etc is handled by the IPS engine workers.

IPS engines are also handling the NGFW feature for policy based firewall rules (config firewall security-policy).

And IPS engines are handling the DoS feature (config firewall DoS-policy / diagnose ips anomaly list).

There are three main processes within the IPS:

1. The ipsmonitor process is used for:

• Start/Stop IPS engines, Watchdog for IPS processes.
• Killing ipsmonitor will restart all ipsengines.

diagnose test app ipsmonitor 1 <- Will display basic information on ipsmonitor.

2. The ipshelper process is used for:

• Configuration Management inside the IPS engine.
• Monitor CMDB changes related to IPS.
• Compile the IPS rule database and generate the DFA (Direct Filter Approach).
• It is expected to observe high CPU usage for this daemon when a package used by the IPS engine is updated.
• Schedule packages for update during non-busy hours if necessary.

Note that ipshelper is always at index 0 in the IPS process.

3. The ipsengine process is used for:

• The work process to do packet inspection.
• Involvement in application control, Flow mode antivirus, Flow mode DLP, and flow-based Email Filter.

The number of the engine depends on different models/hardware.

• It will be indexed starting from 1, 2, 3, 4, etc.

Index 1 will be the master IPS engine, which is responsible for:

• Updating the database in hardware.
• Performing cleanup of SSL caches in Caches.

They most likely will have higher CPU/Memory usage than the other IPS engine workers.

For the last point, it is possible to see the process having a significantly higher CPU usage (i.e., in the output of the command diagnose sys top). Investigate further with the following commands:

After, dump details about the process IDs:

diagnose sys process pstack <PID>        <- Dump process userspace stack.
diagnose sys process dump <PID>          <- Dump process kernel stack.

Dump the process kernel stack.

The PID of the process can be found in the first column of the diagnose sys top  after the name, or with the following command:

diagnose sys process pidof <name of process>

Note: Starting from FortiOS version 7.6.3, the IPS engine functionality enhanced to support the detection of industrial Ethernet protocols such as LLDP, GOOSE, EtherCAT, and PROFINET RT. The IPS sensor detects the ethernet protocols and device detection log ethernet devices at layer 2. For more information, see Support Ethernet layer protocols in the IPS engine.