“You can configure the fail-open setting under config ips global to control how the IPS engine behaves when the IPS socket buffer is full .”
“If the IPS engine does not have enough memory to build more sessions , the fail-open setting determines whether the FortiGate should drop the sessions or bypass the sessions without inspection .”
“It is important to understand that the IPS fail-open setting is not just for conserve mode—it kicks in whenever IPS fails. Most failures are due to a high CPU issue or a high memory (conserve mode) issue.”
Technical Deep Dive:
The correct answer is A .
The log text says:
logdesc= " IPS session scan paused "
action= " drop "
msg= " IPS session scan, enter fail open mode "
That combination indicates an IPS failure condition , specifically the condition described in the guide where the IPS socket buffer is full and the IPS engine lacks enough memory/resources to build additional sessions. In that state, FortiGate applies the configured IPS fail-open behavior . Since the log shows action= " drop " , the device is not bypassing those new sessions; it is dropping them.
Why the other choices are wrong:
B is wrong because the guide ties fail-open to socket buffer/resource exhaustion , not packet decode failure.
C is wrong because this is not evidence of a manual diagnostic pause.
D is wrong because the study guide does not associate this log with dirty-flag packet reevaluation.
Operationally, this usually points to high memory , high CPU , or conserve-mode pressure affecting the IPS engine. Useful checks are:
get system performance status
diagnose hardware sysinfo conserve
diagnose sys top
Those help confirm whether the IPS issue is being driven by memory pressure or CPU exhaustion.