Description
This article describes the difference between the default behaviour of "set status" and "set action" options on an IPS sensor
In the FortiGate GUI create an IPS sensor with IPS filter and leave IPS filter status set to default
In CLI it is created as:
config ips sensor
edit "test-ips-profile"
[...]
edit 5
set location all
set severity critical
set protocol all
set os Linux
set application Apple
set status default <----
set log enable
set log-packet disable
set log-attack-context disable
set action default <----
set quarantine none
next
end
In GUI change action to "Monitor"
In CLI the result is:
edit 5
set location all
set severity critical
set protocol all
set os Linux
set application Apple
set status enable <---
set log enable
set log-packet disable
set log-attack-context disable
set action pass <---
set quarantine none
next
Normally the expectation is to see the action to pass and log set to enable but change of status is not expected.
With CLI such settings can be achieved. It is not possible with GUI.
Workaround
If the config is done via FortiGate CLI it is possible to configure the filter with:
set status default
set action pass
Comments
The IPS signature list has redundant, obsolete or false positive signatures.
- These signatures are assigned to a default value of enable or disable i.e. on or off
- The IPS sensor configuration "default status" is defined by the FortiGuard IPS Team and is updated regularly depending on the signature, monitor results etc.
- Changing the status to enable e.g.
config ips sensor
edit "test-ips-profile"
set status enable <---
means "status" should ONLY be available from the command line
The FortiGate GUI or FortiManager should not change the status at all because it negates any intelligence added by the FortiGuard team to reduce false positives or unwarranted network disruptions due to IPS signatures. At the moment use the workaround to prevent false positives.
