Technical Tip: How to Configure the FortiGate to Block an IPS Attack and change the default IPS action

Description
This article describes how to add IPS signatures to change the default action.

If the action for the IPS signature's attack is set to 'pass', it is possible change the action to 'block' by following the instructions below:

Solution
1) Go to Security Profiles -> Intrusion Prevention.
2) Create a New Profile or an existing profile can be used as well.
3) Select 'Create New' under IPS Signatures and Filters for the IPS sensor which is in use in this issue or to add a new entry.

 

 

7) 'Default Action' can be changed as desired.

 

 

 

 

8) Select the appropriate signature  and select 'OK'.

9) Save the profile and apply to a firewall policy intending for this signature to block.

Note:
Under IPS sensor configuration in GUI, ensure the selected signatures are arranged in proper order according to your need since FortiGate follows Top-Down approach in the table of IPS signatures and Filters to take appropriate action when there is a signature hit.