thanks a lot. . but I think this command show quarantine IP that blocked by IPS,but if IP blocked permanent by IPS , what command can show it? for example a hacker that blocked by IPS? thanks my dear

You can look at the IPS alert event for one, but how are you blocking a client  ( mon | block | quarantine ) ? and for what duration if  it's quarantine ? is the real question.

When you set the sensor you have the option to block or monitor or  quarantine. Those commands will show you the latter and let you free the latter from the quarantine. That pretty much under the latest FortiOS. Is that clear ?

Here 's what i would suggested, take the siganture ensure logging is enable in the IPS sensor for the config entry

Ensure you have logging enabled on the policy;

config firewall policy     edit 27         set uuid 5f43b0b2-fe51-51e4-384f-1c9c8638ca71         set srcintf "wifi"         set dstintf "virtual-wan-link"         set srcaddr "all"         set dstaddr "GOOG1"         set action accept         set schedule "always"         set service "DNS"         set utm-status enable         set logtraffic all         set logtraffic-start enable         set ips-sensor "DNS"         set profile-protocol-options "default"         set nat enable     next end

Enable logging from log > config and from memory or forticloud  for the wegui display

Now go to  log & report > security > ips

That will show you all events, once again  the quarantine and the earlier commands shows you what's in quarantine, the time entered and expiry time.

FWWI each time your attacker hits the rule, it would be a new entry. Each entry will have a sequence number, timestamp, sensor-name, rule, and packet logging if you enabled it.

That's the best I can  pull up from memory ( no pun intended ), I don't know of any CLI cmd to see the above but you cam dump the log and grep or crunch the entries also.