A security engineer has configured a network intrusion prevention system (IPS) to block all traffic destined for a deprecated internal application server. Despite the new rule, monitoring logs show that connections to the server are still being established. The IPS logs confirm that the rule is being triggered and is generating alerts for the traffic, but the packets are not being dropped. What is the MOST likely cause of this issue?
An 'allow' rule with a higher priority is being processed before the new 'block' rule.
The IPS is operating in a passive, out-of-band (tap) mode.
The IPS rule was configured with an action of 'alert' instead of 'block'.
The IPS has entered a 'fail-open' state due to high traffic volume.
The most likely cause is that the IPS rule's action was configured to 'alert' or 'detect' only, rather than 'block' or 'prevent'. This is a common misconfiguration where a rule correctly identifies traffic but does not take the intended enforcement action. While operating in passive mode or having a higher-priority 'allow' rule are possible causes for traffic not being blocked, the fact that the IPS is specifically generating an alert for this rule points to the action within the rule itself as the misconfiguration. A fail-open state is a possible failure mode, but it is less likely to be the root cause if the device is otherwise functioning and logging alerts for the specific rule.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a deny directive in network security?
Open an interactive chat with Bash
How does tuning auditing levels differ from deny directives?
Open an interactive chat with Bash
What are the drawbacks of disabling advanced scanning features?