Refer to the exhibit, which shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)
A.
The sensor will gather a packet log for all matched traffic.
B.
The sensor will reset all connections that match these signatures.
C.
The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature.
D.
The sensor will block all attacks aimed at Windows servers.
Correct Answers: A and C
Explanation of Each Option:
A. The sensor will gather a packet log for all matched traffic.
Correct. The "Microsoft.Windows.iSCSI.Target.DoS" signature has packet logging enabled, so matched traffic will be logged.
B. The sensor will reset all connections that match these signatures.
Incorrect. The configuration does not indicate resetting connections, as the action for the "iSCSI" signature is set to "Monitor."
C. The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature.
Correct. The action for this signature is set to "Monitor," meaning traffic matching this signature is allowed but logged.
D. The sensor will block all attacks aimed at Windows servers.
Incorrect. The signature for "iSCSI" is explicitly set to "Monitor," so it will not block this attack.
Conclusion:
The sensor will log traffic (A) for matched signatures and allow traffic (C) for the monitored "iSCSI" signature.
A is incorrect because there is no log enabled to blocked packets
B is incorrect because iSCI packets are allowed
C is correct because iSCI packets are allowed
D is correct because all other windows server attacks will be blocked
Microsoft.Windows.iSCSI.Target.DoS is allowed, so not all attacks to windows are blocked.
And when hitting the Microsoft.Windows.iSCSI.Target.DoS attack, it is getting logged
A and C.
D cannot be for the following reason: "When the IPS engine compares traffic with the signatures in each filter, order matters. The rules are similar to firewall policy matching; the engine evaluates the filters and signatures at the top of the list first, and applies the first match. The engine skips subsequent filters". Pag 243 Fortinate Administrator Study Guide
A. The sensor will gather a packet log for all matched traffic.
Packet logging for the first line is enabled but it's disabled for the second line (OS Windows).
Please explain how can A be a correct answer.
If you will research about the signature. it actually targets the server. So D is not true because the way the filter works is from top to bottom. thus, allowing the Signature above to pass through without blocking it.
So, if B and D is incorrect the only remaining answer is
A and C
A (monitor & block generates log for matching traffic)
C (order matters and this is also an atack aimed at windows servers, and because this, D is incorrect)
A and D are correct because is enabled on the output the monitor and logging for sessions, and the action for windows server/client which will match the signature is block
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
0d6e481
Highly Voted 2 months, 1 week agorigonet
Most Recent 1 day, 14 hours agosxcap
1 week, 4 days agoBooma1234
2 weeks agoevdw
3 weeks, 6 days agoevdw
3 weeks, 6 days agovuhidus
1 month agoCharly0710
1 month, 1 week ago262cfa1
1 month, 1 week ago262cfa1
1 month, 1 week agos4mu3l007
1 month, 2 weeks agofelixliao
1 month, 2 weeks agomarcovinicius4
1 month, 2 weeks ago0d6e481
1 month, 3 weeks agoCharlieS8
1 month, 4 weeks agoCharlieS8
1 month, 4 weeks ago6f7d62a
2 months agoDavidCA2024
2 months, 2 weeks agofab1ccb
3 months ago