Description
This article describes how to add IPS signatures to change the default action.
If the action for the IPS signature's attack is set to 'pass', it is possible change the action to 'block' by following the instructions below:
Solution
1) Go to Security Profiles -> Intrusion Prevention.
2) Create a New Profile or an existing profile can be used as well.
3) Select 'Create New' under IPS Signatures and Filters for the IPS sensor which is in use in this issue or to add a new entry.
4) Select Type: 'Filter' or 'Signature' based on the requirement.
5) Use the' Search' field to search the Signature.
6) Select the Signature and select 'Add Selecteds button.
7) 'Default Action' can be changed as desired.
8) Select the appropriate signature and select 'OK'.
9) Save the profile and apply to a firewall policy intending for this signature to block.
9) Save the profile and apply to a firewall policy intending for this signature to block.
Note:
Under IPS sensor configuration in GUI, ensure the selected signatures are arranged in proper order according to your need since FortiGate follows Top-Down approach in the table of IPS signatures and Filters to take appropriate action when there is a signature hit.
