DescriptionFrom FortiOS v5.2, the IPS global setting ignore-session-bytes has been removed. A new adaptive detection method has been created instead: intelligent-mode based on file types and HTTP header characteristics so that exploits carried over after certain traffic amount can still be detected.
By default (intelligent-mode enable), the IPS engine does adaptive scanning in order to speed up the scan job and starts to offload the traffic sooner.
In case it is necessary to scan all the bytes, intelligent-mode can be disabled.
This article shows how ignore-session-bytes was used in v5.0 and earlier releases, and how intelligent-mode is used on v5.2 and latest releases.
SolutionFortiOS 5.0
In v5.0 with ignore-session-bytes it is possible to set the number of bytes after which the session is ignored by the IPS engine. If the attack comes after the bytes scanned by IPS engine, it will not be detected. The default is 204,800 bytes.
config ips global
set ignore-session-bytes 204800
end
FortiOS 5.2 and 5.4
Starting with V5.2 with intelligent-mode the IPS engine does adaptive scanning so that for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. It is a balanced method which could cover all known exploits. The default is enable.
config ips global
set intelligent-mode enable
end
When disabled, the IPS engine scans every single byte. Compared with the pure number ignore-session-bytes, the intelligent-mode gives more improvements without violating original settings. Related Articles
Technical Note : IPS anomaly mode settings for DOS sensor behaviour when action is set to ‘block’