I am interested in how people use IPS in R80.10. In R77.30 we would go through the flagged list then set the relevant protections to detect for 7 days – we would then clear down the flags for the ones we do not set. We would then review the logs to make sure there is no impact to legitimate site traffic (we have a customer facing SAAS platform) then we would set the flagged detects to protect and push policy. We would then repeat the cycle over a two week period.
In R80.10 I am thinking I would need to do the following to emulate this:-
- Set activation mode to Detect on high and medium confidence
- Set Activate IPS protections according to the following additional properties and select the vendors we want.
- Set newly update protections to activation detect in Staging
- Download the IPS update and push policy
- Review the logs filtered to staging protections after 7 days
- Set any that are affecting legitimate traffic to inactive (or add an exception)
- Set the rest to Prevent and push policy.
Repeat steps 4 -7
What do other people do?