Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiDave
New Contributor III

Created on ‎05-23-2022 01:38 AM

Enabling Fortigate IPS On All Policies / Globally

Hi,

 

I am trying to enable a newly created read only IPS profile on all FW policies.

 

Is there a simple way to do this on the GUI, or would I have to script it into the policy config file?

 

I can also see there is a CLI command "config ips global". Would this be an option for my requirements? Are there any potential drawbacks here? 

 

Thanks.

Labels:
3716
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎05-23-2022 07:31 AM

Hello

Some operations are better via some scripting.
In your case I'd do as follows:

 

1- List policies' without content:

 

FGT # show firewall policy | grep -v set

 

Output:
config firewall policy
edit 1
next
edit 2
next
edit 3
next
end


2- Add required lines to the output:

 

config firewall policy
edit 1
set ips-sensor "my_ips_profile"
next
edit 2
set ips-sensor "my_ips_profile"
next
edit 3
set ips-sensor "my_ips_profile"
next

end

 

3- And then just push the new config to your CLI.

 

Hope this helps.

 

AEK

View solution in original post

AEK
3689
5 REPLIES 5
jintrah_FTNT
Staff
Staff

Created on ‎05-23-2022 04:09 AM

Hello,

 

You may want to use the IPS sensor against an interface policy which may be an easy way to enforce  IPS protection against traffic across an interface. Please see https://community.fortinet.com/t5/FortiGate/Technical-Note-Applying-IPS-sensors-to-interface-policy/... .

 

Best regards,

Jin

3668
bpozdena_FTNT
Staff
Staff

Created on ‎05-23-2022 04:26 AM

If all policies have the same set of security profiles, you can just select all the policies in the GUI by holding SHIFT key and clicking on the first and last policy. Then click the edit button on any of the policies, select the desired profiles and press Apply. The change will apply to all selected policies. Just note this will reset all profiles based on your current selection, not just the IPS profile.

 

There is also no way to revert the changes, so make sure to at least take a backup of your config before making any bulk changes. 

 

Example:

bpozdena_FTNT_0-1653304175289.png

 

Alternatively, just script it or manually edit your config file in a text editor. Either way, the IPS profile needs to be explicitly configured under firewall/interface policies. 

 

HTH,
Boris
3666
FortiDave
New Contributor III
In response to bpozdena_FTNT

Created on ‎05-26-2022 11:53 AM

Very help also, another option, and really handy thing to know, cheers.

3629
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-23-2022 07:31 AM

Hello

Some operations are better via some scripting.
In your case I'd do as follows:

 

1- List policies' without content:

 

FGT # show firewall policy | grep -v set

 

Output:
config firewall policy
edit 1
next
edit 2
next
edit 3
next
end


2- Add required lines to the output:

 

config firewall policy
edit 1
set ips-sensor "my_ips_profile"
next
edit 2
set ips-sensor "my_ips_profile"
next
edit 3
set ips-sensor "my_ips_profile"
next

end

 

3- And then just push the new config to your CLI.

 

Hope this helps.

 

AEK
AEK
3690
FortiDave
New Contributor III
In response to AEK

Created on ‎05-26-2022 11:52 AM

Probably the better option, much appreciated, thanks.

3630
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.