To prevent false positives, an administrator can use IPS filters (referred to as the profile extension in the question) to tailor the IPS profile to the specific network environment it protects. By specifying the target operating systems, protocols, and applications, the FortiGate only loads and applies the relevant IPS signatures. This significantly reduces the number of signatures evaluated against the traffic, which not only improves performance but also minimizes the risk of a signature incorrectly identifying legitimate traffic as malicious, thereby preventing false positives.

B: Enabling Scan Outgoing Connections is for detecting compromised hosts communicating outbound. It increases the scope of inspection and could potentially increase, not prevent, false positives if not tuned properly.

C: Using a monitor action does not prevent false positives; it only logs them without blocking traffic. This is a strategy to identify false positives without impacting users, but it allows potentially malicious traffic to pass, compromising network integrity.

D: SSL/TLS certificate issues on a client PC are related to SSL inspection and web access problems. They are not a direct cause of IPS false positive detections, which analyze traffic content for malicious patterns.

1. Fortinet Certified Solution Specialist - Enterprise Firewall 7.0 Advanced Study Guide

Chapter 3: Intrusion Prevention System (IPS)

Section: IPS Tuning

Page 10: "You can use IPS filters to narrow down the signatures that are included in an IPS profile. This is useful for improving performance and reducing the number of false positives. For example

if you know that you don't have any Linux servers on your network

you can create a filter to exclude all Linux signatures from the IPS profile." This directly supports using filters based on OS to prevent false positives.

2. FortiOS 7.4.0 Administration Guide

Section: Security Profiles > Intrusion Prevention > IPS Signatures

Sub-section: Filters: "You can use filters to narrow the list of IPS signatures that are displayed... You can also use filters to narrow the signatures that are included in an IPS sensor." This confirms the mechanism for narrowing down signatures.

3. FortiOS 7.4.0 Administration Guide

Section: Security Profiles > Intrusion Prevention > Best practices for IPS deployment: "Start by using an IPS sensor that monitors traffic and generates logs... After you have determined that the IPS sensor is not causing any problems

you can change the action to block." This describes the process related to option C

highlighting that monitoring is for identifying false positives

not preventing them

and carries the risk of not blocking real attacks.