Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS false positives/negative

How can we prevent false positives and false negatives from occurring? We are usually creating exceptions but that is the reactive measure. Can anyone help me understand the preventive measure here?

What are the configuration and steps required here?

Thanks in advance 🙂

0 Kudos
2 Replies

This is the sad truth of all the wonderful Security Tooling we have: False Positives and False Negatives, due to the dynamic threat landscape, it is a continuous process of evaluating logs and act accordingly.

From my own experience: implement the best-practice policy (for CP is the Optimized) and use a period to monitor the alerts on a daily basis that are generated (Prevent and Detect) and use Exception as narrow as possible (specific scope and protections). After sometime the monitoring less false positives will occur. Also implement like a recurrent NGFW review to see which exceptions are not hit anymore.

0 Kudos

This is one of the goals of Infinity Threat Prevention (available from R81): threat prevention with minimal tuning required.
That said, false positives do occur and, unfortunately, have to be handled in a reactive manner.
False negatives generally mean existing protections and/or protection mechanisms need to be improved.
Appropriate segmentation and access policies go a long way here.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events