According to the FortiOS packet processing order, also known as the "Life of a Packet," Denial of Service (DoS) policy checks are performed at the very beginning of the packet flow. This happens immediately after the packet is received on the ingress interface and before a session is created. Intrusion Prevention System (IPS) scanning, which evaluates signatures and filters, occurs much later in the process, after a firewall policy has accepted the traffic and a session has been established. Therefore, the ipsrcsession anomaly defined in the DoS policy is the first item to be evaluated by FortiGate.

A. SMTP.Login.Brute.Force: This is an IPS signature, which is evaluated by the IPS engine after the DoS policy check and session establishment. B. IMAP.Login.brute.Force: This is an IPS signature, which is processed later in the packet flow by the IPS engine, not before the DoS policy. D. Location: server Protocol: SMTP: This is an IPS filter used to apply specific signatures. It is part of the IPS engine's logic, which runs after the DoS policy.

1. Fortinet FortiOS 7.4.0 Administration Guide, Packet flow and security profiles > Life of a packet, Page 1031. The packet flow diagram and description clearly show that the dos-policy check occurs at the ingress stage, well before session setup and the application of security profiles like IPS (ipsscan).

2. Fortinet FortiOS 7.4.0 Administration Guide, Security Profiles > DoS Protection, Page 568. This section explains that DoS policies are designed to "protect the FortiGate unit from denial of service attacks" by inspecting traffic before it is processed by the CPU, confirming its early position in the packet flow.