Which session flag indicates that the traffic will be checked by IPS anomaly detection?

The session flag that indicates traffic will be checked by IPS anomaly detection is indeed the nds flag. This flag is part of the Fortinet firewall's session control mechanism, specifically designed to facilitate the management of traffic sessions and the application of security features.

When a session is tagged with the nds flag, it signifies that the traffic is subject to intrusion prevention system (IPS) anomaly detection, allowing the system to monitor for unusual patterns that could indicate a potential security threat. This proactive approach helps in identifying and mitigating possible intrusions based on anomalies rather than just known signatures, enhancing the security posture of the network.

In contrast, the other flags—such as ndr, local, and br—serve different purposes and do not specifically indicate the traffic will undergo IPS anomaly checks. Understanding the functionality of each flag is crucial for effectively managing and securing network traffic.