I'm wondering how the modifiable IPS policies relate to the non-modifiable policies and what the recommendations are for using them. The first six seem clear enough (DMZ TO LAN, LAN TO WAN, etc.), assuming you have these standard zones set up, and I assume the policies have been written to perform security according to average traffic patterns between these zones.
However there is not much in the way of description or documentation for the other pre-defined policies: "generalpolicy", "lantowan strict policy", "lantowan general policy", and "dmzpolicy". What is the "general" policy? How do the "lantowan" policies compare to the basic "LAN to WAN" policy? And is the "dmzpolicy" like a "DMZ TO ANY" or something else? I'm assuming the lantowan "strict" simply looks for more signatures than the "general", but I'm wondering which of these is equivalent or closer to "LAN TO WAN" or what the other differences might be.
Also what is the recommendation for troubleshooting and tweaking IPS behavior with respect to false positives? I'm most concerned with LAN-WAN traffic, which is almost exclusively initiated by LAN users, and so I assume the various lan-to-wan policies are the appropriate policies to use. However they seem to overperform by causing legitimate traffic to prohibited and for users to receive HTTP errors. I notice this especially when communicating with servers in Amazon EC2. Is the solution to try using a modifiable lan-to-wan policy, monitor the IPS log for false positives, and then tweak the policy to disable those signature checks? Do the logs report sufficiently verbose information to do this kind of tuning?
This thread was automatically locked due to age.
