FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 196373
Description
This article describes how to change Intrusion Protection Sensor default action in FortiOS 4.0.

Users can also user Customer Overrides to allow certain signatures to be blocked, however, when not every potential attack signature is known, administrators may wish to just change All Default signatures actions, thereby greatly restricting malicious traffic.  If any valid traffic is affected by this, Administrators can start user custom overrides to block what attacks may be known by name now.



Solution
In the steps below, the predefined scan Protection Profile and associated IPS sensor All_Default are used just as an example.

1. As a first step users must ensure that the policy they are using, and subsequent Protection Profile, has IPS Sensor option enabled, and desired IPS sensor selected. To do this, go to Firewall > Protection Profile, and select the Scan profile. Select the blue arrow for IPS to expand the options. Select the check box to enable.

sotoole_FD31019_All_Default in PP.JPG

2. Edit the IPS Sensor to be used by going to UTM > Intrution Protection > IPS Sensor and edit the appropriate sensor.

sotoole_FD31019_Edit All Default.JPG


3. Once this sensor is open, choose a new action. Accept signatures default settings, Pass all, Block All and Reset are possible selections.  Select OK.

sotoole_FD31019_Change default action.JPG

Users will see the Action listed as the action selected that is not default.

sotoole_FD31019_view default action.JPG


NOTE - This procedure should not be confused with using Custom Override, which is a similar, but separate procedure.

Related Articles

Blocking Ultrasurf with an IPS signature

Technical Tip: How to use IPS custom override