Intrusion Prevention and Application Control

Question 1

What does IPS do?

Answer 1

• Flow-based detection blocking anomalies and exploits
• Protects the inside of the network from outside threats

Question 2

What IPS action allows traffic and logs the activity?

Answer 2

Monitor

Question 3

How does application control work?

Answer 3

Uses the IPS engine to scan traffic for application patterns

Question 4

What is a limitation of HTTP block page for application control?

Answer 4

It can be used only for web applications

Question 5

In what situations might the default action for signatures be incorrect?

Answer 5

• Software vendor releases a security patch (continuing to scan for exploits wastes resources)
• Network has a custom application with traffic that inadvertently triggers an IPS signature

Question 6

What are two ways you can add a predefined signature to an IPS sensor?

Answer 6

• Select the signatures individually
• Add a signature to a sensor using filters, FortiGate adds all signatures that match that filter

Question 7

What are rate-based signatures used for?

Answer 7

To block traffic when the threshold is exceeded during a time period

Question 8

How do rate-based signatures work?

Answer 8

• Applied to protocols you use
• FortiGate triggers the action when the threshold is reached during the configured “duration”

Question 9

How does the IPS compare traffic with the signatures in each filter?

Answer 9

• The engine evaluates the filters and signatures at the top of the list first, and applies the first match
• Skips subsequent filters

Question 10

IPS action quarantine does what?

Answer 10

Allows you to quarantine the attacker’s IP address for a set duration

Question 11

IPS action reset does what?

Answer 11

Generates a TCP RST packet whenever the signature is triggered

Question 12

IPS action block does what?

Answer 12

Silently drops traffic matching any of the signatures

Question 13

What’s a way to get consolidated botnet protection?

Answer 13

Enable botnet scanning on the IPS profile that you apply the firewall policy

Question 14

What SSL inspection mode should you use to get the maximum benefit from your IPS features?

Answer 14

Deep inspection

Question 15

What is a way to troubleshoot continuous high-CPU use by the IPS engines?

Answer 15

• diagnose test application ipsmonitor
• Option 5 (IPS bypass mode)
• If CPU decreases, it can indicate the volume of traffic being inspected is too high for that FortiGate model
• If CPU remains high, it can indicate a problem in the IPS engine (report to Fortinet support)

Question 16

How does application control in FortiGate work?

Answer 16

• Uses the IPS engine in flow-based scan
• Detects and acts on network application traffic

Question 17

What does configuring network protocol enforcement on an application sensor allow you to do?

Answer 17

Configure network services on known ports, while blocking those services on other ports

Question 18

Having what enabled causes all HTTPS-based applications to provide a block page?

Answer 18

Deep inspection

Question 19

In what order does FortiGate scan the application profile?

Answer 19

• Application and filter overrides
• Categories

Question 20

Does application control profile scan or web filtering scan happen first?

Answer 20

Application control

Question 21

How do you enable an application control profile you configured?

Answer 21

Enable application control and select the profile in the appropriate firewall policy

Question 22

Which IPS action allows traffic and logs the activity?

Answer 22

Monitor

Question 23

What uses the IPS engine to scan traffic for application patterns?

Answer 23

Application control

Question 24

What can the HTTP block page be applied to?

Answer 24

Web applications