Thanks alot show ips custom config ips custom edit " 1" set signature " F-SBID( --attack_id 8151; --name \" WindowsSurfing\" ; --default_action drop_session; --service HTTP; --protocol tcp; --app_cat 25; --flow from_client; --pattern \" Windows NT 5.\" ; --no_case; --context header; )" next end I would try this for windows xp computers(Windows NT 5.) tomorrow and let you know

Curious as to what your trying to drop with that signature ? And why if Fortinet don' t already have one ?

i want to decommission windows xp computers from my network as some of the users are not ready to give up their computers

I had the same Problem a few days ago. I get the custom Filter from the Fortigate Cookbook. I solved it by copying the signature to notepad++ and remove all LineFeeds there. (If i did this directly in the Firewall-Editfield i get the error)

 F-SBID( --attack_id 8151;--vuln_id 8151; --name " Windows.NT.5.Web.Surfing" ; --default_action drop_session; --service HTTP; --protocol tcp; --app_cat 25; --flow from_client;--pattern " Windows NT 5." ; --no_case; --context header; )
 

Wengert, that' s a good point. Becarefull of anything you copy or paste in the cli or WebGUI IPS input block. I do wish they ( fortinet ) would create a IPS custom signature wizzard/tool. There' s one other method is to build it as a snort rule and use the perl snort to fortigate conversion script. It does a half-ass job with converting " most" snort 2.x format rules into fortinet IPS format. I will search for the script and post it here. Op, good hope you catch them. I think you would be better by using end-protection to accomplish this also and with better control and reliability. Also explicit proxy and block bad User-Agent or no User-Agent, would be even better. keep in mind the following; this rule could be circumvented by anybody that uses User-Agent changer or if the client is using HTTPs this rule is practically useless.