To obtain this signature to be excluded (for example not to include it in scanning since it is absolutely certain that this is legitimate traffic), it is necessay to create a custom filter and change the action:
Both filters are now visibile in the IPS profile, the newly added one with 'Allow' action:But this means the signature in question is present twice: once in 'Critical' severity filter, with action 'Block', and once more in the custom filter, with a custom action ('Allow').Which one is used in this case? The first match with 'Block' action configured takes priority and blocks the traffic.Simply adding the signature to the IPS profile with a custom action 'Block' is enough only when we want to change the signature default action from 'Allow' to 'Block'.But, if this filtered signature is dragged on top of the severity filters, the action is 'Allow’, and the other filters are still searched, and the signature found again this time with the default action 'Block'.The solution is to add a custom filter to include all other signatures but exclude this one because is is still necessary to use all the other IPS signatures rated as critical severity in the profile.The end result:Note.The IPS filtering and selection of signatures differs between the FortiOS versions.The example above is done in FortiOS 6.2, and it is the same for in FortiOS 6.4 and FortiOS 7.0FortiOS 6.0 and each of the prior versions, have a slightly different IPS selection sequence and behavior.Related Articles
Technical Note: Exempting IP addresses from IPS sensor scanning