Who rated this post

The quote regarding IPS is indeed mentioned in the SK in the "Additional Frequently Asked Questions" in a question about whether there is an IPS protection that can help mitigate attacks using this CVE.

First I want to emphasize: installing the HF or JHF that includes the CVE fix is the most important and main action item that you need to do to be protected. This will make your gateway protected from future exploit attempts using this CVE.

The IPS protection is a possible extra measure to protect gateways that were not patched with the hf/jhf. It is not required if you installed the hf/jhf with the fix. Note that this IPS protection may be triggered by attacked trying to exploit, even when they are not successful.

Also note that the IPS protection is effective when it is applied to traffic going through the gateway, not traffic going to the gateway itself. Therefore it is only relevant if there is another gateway in front of the gateway doing remote access. It was recommended to have https inspection since some of the attacks are using https encrypted traffic, while other attacks may be over http.
It's not a bad idea to have IPS and https inspection on the gateway doing remote access, but turning these on does not provide extra protection for this specific CVE.

So bottom line: install the fix via HF or JHF. If for some reason, you cannot install the fix, you can add extra protections using another gateway and IPS.

** Also note that the fix makes the gateway secure from the moment it was installed. If you suspect that the gateway was exploited before installing the fix, there are additional measures in the SK related to resetting various secrets and passwords.