Yes avoid the IPS signature Network Quota as that will kill practically all SecureXL acceleration in the firewall.
SecureXL penalty box only applies to an hosts with an excessive drop/block rate, so it won't apply to accepted HTTP/HTTPS connections to your websites.
The fw samp command can establish various quotas for accepted traffic that are efficiently enforced by SecureXL; I'd suggest a new-conn-rate quota combined with "track source". Check out sk112454: How to configure Rate Limiting rules for DoS Mitigation
Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones