“ Rate-based IPS signatures also allows you to detect anomalies, which are unusual behaviors in the network...”
“There are two ways to add predefined signatures to an IPS sensor. One way is to select the signatures individually... The second way to add a signature to a sensor is using filters.”
“ You can also add rate-based signatures to block specific traffic when the threshold is exceeded. On the CLI, If you set the command rate-mode to periodical, FortiGate triggers the action when the threshold is reached during the configured Duration time period. ”
Technical Deep Dive:
The correct answer is C. Use IPS signatures, rate-mode periodical option.
The guide is explicit that this behavior belongs to rate-based IPS signatures . The question asks for blocking traffic when a signature is triggered a certain number of times within a defined interval. That is exactly what rate-mode periodical does: it evaluates the trigger count over the configured duration window and then applies the configured IPS action when the threshold is met.
Why the other options are wrong:
A is wrong because rate-mode 60 is not the documented syntax or method.
B is wrong because packet logging records packets; it does not implement threshold-based blocking logic.
D is wrong because the guide ties rate-mode periodical to rate-based signatures , not to IPS filters as the mechanism for this threshold behavior.
Operationally, this is used for anomaly-style detection, similar in concept to lightweight rate-based protection. A typical CLI pattern is along these lines:
config ips sensor
edit " custom-ips "
config entries
edit 1
set rule < signature_id >
set rate-mode periodical
set rate-count < threshold >
set rate-duration < seconds >
set action block
next
end
next
end
This works best when applied only to relevant protocols and signatures, because broad use of rate-based signatures can consume more resources and increase false-positive risk.