Q: 9
An administrator needs to install an IPS profile without triggering false positives that can impact
applications and cause problems with the user's normal traffic flow.
Which action can the administrator take to prevent false positives on IPS analysis?
Options
Discussion
My pick: A since narrowing the IPS profile to your actual OS, protocol, and app reduces signatures checked, so you get way less risk of false positives. Makes sense from what I've seen in real config. If someone had different lab results, happy to hear it.
Probably A here. Filtering the IPS profile by OS, protocol, and app minimizes unnecessary signatures, which cuts down on false positives. That's what admin guides push for too. Pretty sure about this but let me know if I'm missing something.
Option A had almost the same scenario during mock practice. Targeting OS and protocols with profile extension really helps minimize those annoying false positives. Confident it's A here.
Yeah, I'm with A here. Filtering the IPS profile to match only your actual OS, protocols, and apps just means fewer unnecessary signatures, so way less chance of false positives messing with legit traffic. That’s what Fortinet suggests too I think. Someone correct me if they’ve had a different experience.
Option A But, if the network has a bunch of non-standard apps or custom protocols, filtering by OS/app could miss stuff, right?
A comes up in official admin guides and practice sets. Using the IPS profile extension lets you filter for just your real OS and app context, so false positives drop a lot. Pretty sure that's what they're looking for here but open to other input.
C isn't right here, A is. Fine-tuning the IPS profile for your actual OS, protocols, and applications means fewer false positives because you skip unnecessary signatures. Pretty sure that's what Fortinet recommends for minimizing alert noise.
Its C. I get why people go with A, but monitor mode means the IPS will just log traffic instead of blocking, so even if you get a false positive it won’t disrupt users. That feels like the safer way to avoid impact on normal traffic. Could be wrong if they’re asking for more targeted tuning though.
C or A but I went with C since monitor mode means it doesn't actually block anything, so it shouldn't disrupt user traffic even if something's flagged wrong. Seen this logic in some practice tests and labs. Not 100% sure though, official guide goes deep on tuning IPS profiles.
I don't think it's D. C makes more sense to me since monitor mode avoids blocking traffic, so you won't get false positives affecting users. A seems like a trap for over-restricting the profile.
Be respectful. No spam.
