Dear all,
since I was not able to find answer to my simple question, I'm routing it here.
I'm configuring IPS Filter and I want it to log the packets only upon HIGH/CRITICAL severity events.
However, I want to keep my other Filter to work as usual without packet logging.
I'm just not sure, if IPS sensor is looking through all the filters or it will just hit the first match and bypass others. (This is the main question.)
1) Example (what I did, current config):
#1 High, Critical -> block, log the packet
#2 Protect client + some protocols, default, no packet log
2) Example (will make sense?):
#1 High, Critical -> monitor, log the packet
#2 Protect client + some protocols, default, no packet log
If you look at second scenario, I think the #1 filter will pass all the packets and #2 won't ever take action, Am I wrong?
Hi there:
FortiGate follows Top-Down approach in the table of IPS signatures and Filters to take appropriate action when there is a signature hit.
Below is a kb on how to configure IPS profile and an explanation on how it works
Under IPS sensor configuration in GUI, ensure the selected signatures are arranged in proper order according to your need since FortiGate follows Top-Down approach in the table of IPS signatures and Filters to take appropriate action when there is a signature hit.
Hope that helps!!
Thank you,
Hope
Thanks a lot !
You are very welcome Sveto!!
-/Hope
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.