| Description |
This article describes how FortiGate decides a signature action.
An IPS signature has 6 action options: allow, monitor, block, reset, default, and quarantine. The action is set by factory default, and the user can change it.
A severity level is assigned to each IPS signature. The severity level is set by factory default and cannot be modified, but the action can.
It is common for a signature’s action to conflict with the severity level’s action. |
| Scope | All supported versions of FortiOS. |
| Solution |
FortiGate decides the signature’s action by sequence order of the signature itself and the severity. FortiGate will search from top to bottom in the 'IPS Signatures and Filters' session of an IPS sensor and match the first.
Consider an example with a signature of 'IMAP.Login.Failed'. By default, the signature has severity level '1' and the 'pass' action.
The user changes the signature to 'block', and sets the severity level 1 to 'monitor'. Because the signature itself is on top and the severity level 1 filter is on the bottom, FortiGate will block the signature. See the following screenshot.
If the sequence order reverses, the severity level 1 filter is on top and the signature itself is on the bottom. This means FortiGate will monitor the signature instead of blocking it.
 |
