An administrator applied a block-all IPS profile for client and server targets to secure the server, but the database team reported the application stopped working immediately after. How can an administrator apply IPS in a way that ensures it does not disrupt existing applications in the network? (Choose one answer)

A. Use an IPS profile with all signatures in monitor mode and verify patterns before blocking.
B. Limit the IPS profile to server targets only to avoid blocking connections from the server to clients.
C. Select flow mode in the IPS profile to accurately analyze application patterns.
D. Set the IPS profile signature action to default to discard all possible false positives.

Correct Answer: A

Brave-Dump Clients Votes

A 100%

Comments

Brave-Dumps Admin 2025-04-26 23:39:33

Selected Answers: A

A is correct
EFW 7.4 study guide page 175 confirms that,

If you experience a situation where FortiGate incorrectly identifies a benign or normal event as malicious or
problematic, you should take the following steps:

1. Add another signature using the Signature as the Type.
2. Select Monitor as the Action and enable packet logging to allow traffic and generate a log.

You need to make sure the new signature has a higher priority than the filter signatures; if it is ranked lower, it
won't work as expected.

The flow of events in this scenario is as follows:
1. A user on the Linux server uses hping3 to send large ICMP packets to a Windows PC.

2. The firewall detects that the new signature oversized packet should have the action Monitor, so it allows the
traffic and generates a log.

3. The Windows PC receives the packet from the Linux server, making the app work as expected.

If you encounter a scenario where an IPS signature blocks your native traffic and an application that you are
using is considered hostile, you should set the Action to Monitor, at the top of your rules.