Skip to main content
Sveto
Sveto
Visitor III
June 27, 2022
Question

IPS FILTER

  • June 27, 2022
  • 1 reply
  • 2474 views

Dear all,

 

since I was not able to find answer to my simple question, I'm routing it here.

 

I'm configuring IPS Filter and I want it to log the packets only upon HIGH/CRITICAL severity events.

However, I want to keep my other Filter to work as usual without packet logging.

I'm just not sure, if IPS sensor is looking through all the filters or it will just hit the first match and bypass others. (This is the main question.)

 

1) Example (what I did, current config):

#1 High, Critical -> block, log the packet

#2 Protect client + some protocols, default, no packet log

 

2) Example (will make sense?):

#1 High, Critical -> monitor, log the packet

#2 Protect client + some protocols, default, no packet log

 

If you look at second scenario, I think the #1 filter will pass all the packets and #2 won't ever take action, Am I wrong? 

 

 

 

 

 

 

1 reply

ssudhakar
Staff
ssudhakar
Staff
June 28, 2022

Hi there:

 

FortiGate follows Top-Down approach in the table of IPS signatures and Filters to take appropriate action when there is a signature hit. 

 

Below is  a kb on how to configure IPS profile and an explanation on how it works 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Configure-the-FortiGate-to-Block-an-IPS/ta-p/197115

 

Under IPS sensor configuration in GUI, ensure the selected signatures are arranged in proper order according to your need since FortiGate follows Top-Down approach in the table of IPS signatures and Filters to take appropriate action when there is a signature hit.

 

Hope that helps!!

 

Thank you,

Hope

    Sveto
    SvetoAuthor
    Visitor III
    June 29, 2022

    Thanks a lot !

    ssudhakar
    Staff
    ssudhakar
    Staff
    July 19, 2022

    You are very welcome Sveto!! 

     

    -/Hope

    Terms & ConditionsAccessibility statement