Technical Tip: How to create a custom IPS sensor enty rate to avoid false positive events

IPS signature patterns are created based on generic Threshold and duration values which can turn out to be false positive events in specific environments based on the traffic flow for which the signature rate values can be modified.

In the below example, SMB.login.Brute.Force is set with the default value of 500 failed attempts in one minute from the below article:

https://www.fortiguard.com/encyclopedia/ips/12090

This can be a false positive event in an environment that is expecting more than 500 login failures in a minute for which the below modifications can be made under Security Profile -> Select the IPS profile, select the IPS entry -> Switch Type to Signature.

The threshold value of 500 is switched to 1000 for the selected signature 

to make the changes over CLI:

config ips sensor
    edit {sensor name}
        config entries
            edit {unused integer entry number} <----- '?' to check which entries are in use.
                set rule 12090 <----- Rule id for 'SMB.Login.Brute.Force'.
                set status enable
                set rate-count 1000 <----- threshold value.
                set rate-duration 60 <----- Rate duration in seconds.
            next
         end

For more information about IPS sensor entries please review the below article :

IPS configuration options