Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 1815 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it beneficial to optimize IPS Signatures based on what you're guarding?

Bill Roland

When I initially setup my XG, I just selected the pre-defined IPS rules for whatever I was doing, so for an outbound rule, I'd do LAN>WAN, for publishing a server, WAN>LAN, etc.  Recently I was poking around the rules themselves and realized that there are potentially a lot of rules that I just don't need.  For instance, if I'm running IIS on Windows, I don't need rules related to Apache or Linux or Mac.  I don't have an Linux or Mac clients, so it wouldn't make sense to have a LAN>WAN rule with definitions for anything other than Windows.  Having said that, as far as I know I have not experienced any performance impacts for having all those signatures, I mean, my CPU is usually 10% or below, I don't seem to experiencing any slow browsing or anomalies like that, so perhaps I should just leave it alone?

Any thoughts or experiences out there?  Should I tune it to my environment or just leave the defaults and forget about it?  If you tuned, did you notice any benefits?  Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Bill,

    I did what you are suggesting and disabled a couple that are causing false reports. Unlike the UTM, I did not see any performance improvement. Sometime ago there was a comment from a person who understands the IPS that the XG does it in a different manner to the UTM.

    Ian

Reply
  • 0

    Hi Bill,

    I did what you are suggesting and disabled a couple that are causing false reports. Unlike the UTM, I did not see any performance improvement. Sometime ago there was a comment from a person who understands the IPS that the XG does it in a different manner to the UTM.

    Ian

Children
  • 0 in reply to rfcat_vk

    Thanks, that's been my experience as well; I'm just not seeing any performance issues from IPS.  The "best practices" guy in me says that I should strip out irrelevant signatures because its best to run as lean as possible but in the absence of any documentable performance improvement I'm having a hard time justifying going through and creating a bunch of new IPS policies.  

  • 0 in reply to Bill Roland

    Hi Bill,

    the signatures are supposed to age off automatically, that does not appear to be happening, so tuning is probably required. I am getting false positives from supposedly old signatures. I have removed one and still another to find a disable. Worse part is they attack is using MS stuff on an Android device and previously on Mac Book Pros.

    Ian