Exam NSE7_EFW-7.2 topic 1 question 50 discussion

Actual exam question from Fortinet's NSE7_EFW-7.2

Question #: 50
Topic #: 1

You want to block access to the website www.eicar.org using a custom IPS signature.

Which custom IPS signature should you configure?

A. F-SBID ( --name “detect_eicar”; --protocol udp; --service ssl; --flow from_client; --pattern “www.eicar.org”; --no_case; --context host;)
B. F-SBID ( --name “eicar”; --protocol udp; --flow from_server; --pattern “eicar”; --context host;)
C. F-SBID ( --name “detect_eicar”; --protocol tcp; --service dns; --flow from_server; --pattern “eicar”; --no_case;)
D. F-SBID ( --name “eicar”; --protocol tcp; --service HTTP; --flow from_client; --pattern “www.eicar.org”; --no_case; --context host;)

Show Suggested Answer

Suggested Answer: D 🗳️

by dsticht at May 29, 2024, 4:15 p.m.

Comments

Submit Cancel

myrmidon3

4 months, 2 weeks ago

Selected Answer: D

The correct answer is: D. F-SBID ( --name “eicar”; --protocol tcp; --service HTTP; --flow from_client; --pattern “www.eicar.org”; --no_case; --context host;) Protocol: TCP Since the website (www.eicar.org) uses the HTTP protocol, the custom IPS signature should specify --protocol tcp. Service: HTTP The --service HTTP setting ensures that the signature applies to HTTP traffic. Flow: from_client The traffic flow should be from_client because the client (user device) initiates the request to the website. Pattern: “www.eicar.org” The pattern must match the website name, which is "www.eicar.org". The --no_case parameter ensures that the match is case-insensitive. Context: host The --context host setting specifies that the signature should inspect the Host field in the HTTP request header, which contains the domain name.

upvoted 1 times

...