thanks for the reply - two great questions.

we have the typical MITM https inspection for outgoing traffic, but not for incoming and there is no IPS protection triggered for the pen tester's connection.  The web programmer doesn't know of anything in his code (cold fusion) or IIS that would do the 5 attempt lockout.

thank you.

Thanks - that's what i figured, but wanted to ask.  So....I imported the cert for this site, and created an inbound inspection rule to that server with me as the only source for testing.  on just the home page about ten sql injection prevents were triggered just because file names had an "or" in it.  Here's an example

The server sql-injection setting is "low" - does this seem crazy aggressive?

The "Low" in this case refers to performance impact of the protection.

Just to follow up on what Phoneboy said, the Performance Impact rating specifies how enabling that particular signature will impact SecureXL acceleration on the firewall.  Here is a rough guide taken my my IPS Immersion self-guided video series:

The Performance Impact rating specifies the level of CPU processing overhead for the gateway enforcing this protection. Gaia embedded appliances (models 1200R–1500) or smaller Check Point gateway appliances will be much more heavily impacted by High and Critical–level IPS Protections than larger gateways.

• Critical – 100% of traffic subject to inspection by this Protection is ineligible for acceleration by SecureXL and will take the slowpath (F2F) through a R80.10 or earlier gateway. (We will cover IPS performance extensively in Module 10)
• High – Traffic inspected by this Protection will be inspected ~50% in the non–accelerated slowpath (F2F) and CPASXL path, and ~50% in the partially–accelerated Medium Path (PXL).
• Medium – 100% of traffic subject to inspection by this Protection will be handled in the partially–accelerated Medium Path (PXL) on the gateway.
• Very Low/Low – Protection is fully accelerated in the fastpath by SecureXL.