Refer to the exhibit. Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit. What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?
A.
Traffic matching the signature will be allowed and logged.
B.
The signature setting uses a custom rating threshold.
C.
The signature setting includes a group of other signatures.
D.
Traffic matching the signature will be silently dropped and logged.
Why D ?
This slide from Fortinet Training Institute confirms exactly how IPS Actions behave:
Allow → lets traffic through, no blocking.
Monitor → lets traffic through but logs the activity.
Block → silently drops traffic matching the signature(s).
Reset → sends a TCP RST packet to tear down the session.
Default → uses the FortiGuard-recommended action for that signature.
Quarantine → temporarily blocks the attacker’s IP for a configurable time.
Packet logging → saves a copy of the packet for analysis.
Relating this to your earlier question about the FTP.Login.Failed signature:
Since the signature’s Action is set to Pass/Allow in the IPS profile you showed, the traffic will be allowed and, because packet logging is enabled, it will be logged.
So the correct conclusion remains:
A. Traffic matching the signature will be allowed and logged.
See page 245 in the Study guide.
Action set to block, is the action the IPS Filter will take for the IPS signatures added in the list. "Select Block to silently drop traffic matching any of the signatures included in the entry".
D is correct. The action is set to Block at the top of the configuration setting. If it was set to default then the default action underneath for each signature will apply.
I got confused with the IPS Signature Action "Pass". I see Rate-based setting is set to "Default". After many loging fail I guess that action is going to be logged as an action "blocked" when exceed the amount of retries. Am I wrong?
I was torn between A and D too. The "Pass" shown on the signature is the default action for that signature. The drop-down menu that shows "Block" in the screenshot has "Default as one of its other options. If "Default" is selected, (I'm pretty sure) it defers to the signature's default action. if anything else is selected, it overrides the action shown next ot the signature. Page 240 talks about default signatures.
Nope, the action in the signature list is block (top of the screenshot). It would be A if the action was default or allow, but the action of all the signatures that will be added to this list is going to be block.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
mirko1976
4Â days, 5Â hours agotruserud
6Â months agosxcap
8Â months, 1Â week agovuhidus
9Â months agoJRKhan
9Â months, 1Â week agos4mu3l007
9Â months, 3Â weeks agodumpz
10Â months, 3Â weeks agomiguelmagr
10Â months, 3Â weeks agoyoula5
10Â months, 3Â weeks agoGopiChandMurari
11Â months, 1Â week agorefrain8767
2Â months, 1Â week agoKnocks
11Â months, 1Â week ago