Intrusion Prevention and Application Control Flashcards
What does IPS do?
- Flow-based detection blocking anomalies and exploits
- Protects the inside of the network from outside threats
What IPS action allows traffic and logs the activity?
Monitor
How does application control work?
Uses the IPS engine to scan traffic for application patterns
What is a limitation of HTTP block page for application control?
It can be used only for web applications
In what situations might the default action for signatures be incorrect?
- Software vendor releases a security patch (continuing to scan for exploits wastes resources)
- Network has a custom application with traffic that inadvertently triggers an IPS signature
What are two ways you can add a predefined signature to an IPS sensor?
- Select the signatures individually
- Add a signature to a sensor using filters, FortiGate adds all signatures that match that filter
What are rate-based signatures used for?
To block traffic when the threshold is exceeded during a time period
How do rate-based signatures work?
- Applied to protocols you use
- FortiGate triggers the action when the threshold is reached during the configured “duration”
How does the IPS compare traffic with the signatures in each filter?
- The engine evaluates the filters and signatures at the top of the list first, and applies the first match
- Skips subsequent filters
IPS action quarantine does what?
Allows you to quarantine the attacker’s IP address for a set duration
IPS action reset does what?
Generates a TCP RST packet whenever the signature is triggered
IPS action block does what?
Silently drops traffic matching any of the signatures
What’s a way to get consolidated botnet protection?
Enable botnet scanning on the IPS profile that you apply the firewall policy
What SSL inspection mode should you use to get the maximum benefit from your IPS features?
Deep inspection
What is a way to troubleshoot continuous high-CPU use by the IPS engines?
- diagnose test application ipsmonitor
- Option 5 (IPS bypass mode)
- If CPU decreases, it can indicate the volume of traffic being inspected is too high for that FortiGate model
- If CPU remains high, it can indicate a problem in the IPS engine (report to Fortinet support)
How does application control in FortiGate work?
- Uses the IPS engine in flow-based scan
- Detects and acts on network application traffic
What does configuring network protocol enforcement on an application sensor allow you to do?
Configure network services on known ports, while blocking those services on other ports
Having what enabled causes all HTTPS-based applications to provide a block page?
Deep inspection
In what order does FortiGate scan the application profile?
- Application and filter overrides
- Categories
Does application control profile scan or web filtering scan happen first?
Application control
How do you enable an application control profile you configured?
Enable application control and select the profile in the appropriate firewall policy
Which IPS action allows traffic and logs the activity?
Monitor
What uses the IPS engine to scan traffic for application patterns?
Application control
What can the HTTP block page be applied to?
Web applications
