Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiDave
New Contributor III

Enabling Fortigate IPS On All Policies / Globally

Hi,

 

I am trying to enable a newly created read only IPS profile on all FW policies.

 

Is there a simple way to do this on the GUI, or would I have to script it into the policy config file?

 

I can also see there is a CLI command "config ips global". Would this be an option for my requirements? Are there any potential drawbacks here? 

 

Thanks.

1 Solution
AEK
Honored Contributor

Hello

Some operations are better via some scripting.
In your case I'd do as follows:

 

1- List policies' without content:

 

FGT # show firewall policy | grep -v set

 

Output:
config firewall policy
edit 1
next
edit 2
next
edit 3
next
end


2- Add required lines to the output:

 

config firewall policy
edit 1
set ips-sensor "my_ips_profile"
next
edit 2
set ips-sensor "my_ips_profile"
next
edit 3
set ips-sensor "my_ips_profile"
next

end

 

3- And then just push the new config to your CLI.

 

Hope this helps.

 

AEK

View solution in original post

AEK
5 REPLIES 5
jintrah_FTNT
Staff
Staff

Hello,

 

You may want to use the IPS sensor against an interface policy which may be an easy way to enforce  IPS protection against traffic across an interface. Please see https://community.fortinet.com/t5/FortiGate/Technical-Note-Applying-IPS-sensors-to-interface-policy/... .

 

Best regards,

Jin

bpozdena_FTNT

If all policies have the same set of security profiles, you can just select all the policies in the GUI by holding SHIFT key and clicking on the first and last policy. Then click the edit button on any of the policies, select the desired profiles and press Apply. The change will apply to all selected policies. Just note this will reset all profiles based on your current selection, not just the IPS profile.

 

There is also no way to revert the changes, so make sure to at least take a backup of your config before making any bulk changes. 

 

Example:

bpozdena_FTNT_0-1653304175289.png

 

Alternatively, just script it or manually edit your config file in a text editor. Either way, the IPS profile needs to be explicitly configured under firewall/interface policies. 

 

HTH,
Boris
FortiDave

Very help also, another option, and really handy thing to know, cheers.

AEK
Honored Contributor

Hello

Some operations are better via some scripting.
In your case I'd do as follows:

 

1- List policies' without content:

 

FGT # show firewall policy | grep -v set

 

Output:
config firewall policy
edit 1
next
edit 2
next
edit 3
next
end


2- Add required lines to the output:

 

config firewall policy
edit 1
set ips-sensor "my_ips_profile"
next
edit 2
set ips-sensor "my_ips_profile"
next
edit 3
set ips-sensor "my_ips_profile"
next

end

 

3- And then just push the new config to your CLI.

 

Hope this helps.

 

AEK
AEK
FortiDave
New Contributor III

Probably the better option, much appreciated, thanks.

Labels
Top Kudoed Authors