I am in a situation where the only threat prevention blade my gateways are running is IPS. A custom profile is being used that has had it's IPS protections tweaked over many years and I can't just abandon it and start using another profile like "Optimized".
I need to enable Anti-Bot and Anti-Virus and I want to do so with the "Optimized" profile.
I modified my threat prevention policy so that rule 1 has the "Optimized" profile and only Anti-Bot and Anti-Virus turned on. Rule 2 has only IPS turned on and is using "My Custom IPS" profile.
My thought was that traffic would hit rule 1 and go through ABOT and AV and then continue on to rule 2 for IPS but it doesn't, it stops at rule 1 and this basically turns off IPS for me.
Is there a way I can use different profiles for different blades?
Or if I simply alter the setting(s) of "My Custom IPS" profile by enabling Anti-Bot and Anti-Virus for it and changing the settings to mirror the "Optimized" profile? For example I would change the "Performance Impact" in "My Custom IPS" to "Medium or Lower" to match.
That would probably change the settings on some of my IPS protections but at least I can go look ahead of time and see which ones may be changed when I change settings.
Are the only differences with the out of box profiles the settings such as performance impact, severity, high confidence, etc, or is there more behind the scenes that I can't see?
I have tested the above using both 80.30 and 80.40 with the same results.