Description
This article describes how to exempt a source/destination IP to be exempted from a particular IPS signature.
Solution
This article describes how to exempt a source/destination IP to be exempted from a particular IPS signature.
Solution
CLI
IP exemptions can be added in the IPS profile only if the signatures are mentioned explicitly.
Multiple IP exemptions can be added by adding more exempt-ip-rule-id's.
IP exemptions can be added in the IPS profile only if the signatures are mentioned explicitly.
#config ips sensor
edit <sensor name>
config entries
edit <rule num>
config exempt-ip
edit <exempt-ip-rule-id>
set src-ip <ip4mask>
next
edit <exempt-ip-rule-id-1>
set dst-ip <ip4mask>
end
next
end
next
end
Multiple IP exemptions can be added by adding more exempt-ip-rule-id's.
GUI
Go to the IPS sensor -> Add signatures (under IPS signatures).
Select the signature and Edit IP exemptions.
Refer to the following screenshot:
For more information refer to the appropriate FortiOS CLI Reference guide in the Fortinet Document Library.
Go to the IPS sensor -> Add signatures (under IPS signatures).
Select the signature and Edit IP exemptions.
Refer to the following screenshot:
For more information refer to the appropriate FortiOS CLI Reference guide in the Fortinet Document Library.
Note: Keep in mind that while the “source” and “destination” IP’s are configured, it should be configured depending on the direction of the attack.
e.g: If in the IPS logs the destination is the server and the source is the host, in the configuration of the exemption the source should be the server and destination should be the host.
e.g: If in the IPS logs the destination is the server and the source is the host, in the configuration of the exemption the source should be the server and destination should be the host.
date=2019-10-27 time=18:44:54 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1572198294024252859 tz="+0100" severity="info" srcip=192.168.209.45 srccountry="Reserved" dstip=213.211.198.58 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=8180 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=41300 dstport=80 hostname="2016.eicar.org" url="/download/eicar.com" direction="incoming" attackid=29844 profile="protect_client" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=1244883271 msg="file_transfer: Eicar.Virus.Test.File,"In order our host to be exempted, configure the following:
# config ips sensor
edit <sensor_name>
config entries
edit 2
set rule 29844
set status enable
set action block
config exempt-ip
edit 1
set src-ip 213.211.198.58 255.255.255.255
set dst-ip 192.168.209.45 255.255.255.255
next
end
