Ongoing IPS Maintenance Tuning

In This Section: Overview General Recommendations IPS Management Tips Configuring Individual Protections

Overview

After you successfully configure the initial IPS installation, most protections are deployed in Prevent mode. A few remain in Detect mode for additional analysis. However, new threats continuously emerge and the internal network changes with new applications, services and protocols. It is necessary to regularly run an analysis on the IPS logs for maintenance tuning of the policy.

We recommend that you run an IPS analysis twice a month and review IPS updates for new attacks and other issues.

Analyzing New Protections

We recommend that you deploy new Protections in Detect mode. As you did when you performed the initial installation, run an analysis on the new protections and determine if they can run in Prevent mode.

Running Maintenance on Existing Protections

Run an analysis on the logs that are generated by the IPS protections.

Protections in Prevent Mode

Make sure that most of the events are generated by malicious traffic. Analyze these events based on the source IP address, URLs, and packet capture

If events are generated by legitimate traffic:

1. Try to identify the pattern and create an exception for the traffic.
2. If you cannot identify the pattern, configure the protection to Detect mode.

   Note - If this protection generates a small number of logs, we recommend that you continue to run it in Prevent mode.

Protections in Detect Mode

Make sure that events continue to be generated for legitimate traffic.

If legitimate traffic no longer generates events, change the protection to Prevent mode.