All_default or protect_client

Hello, I would recommend spend a couple of hours determining exactly what you need from IPS engine, doing a map of services,machines, network location etc. After that, define your own IPS specific sensors to cover your needs, log everything and re-check, let' s say, weekly. Adjust your sensors, eliminating false positives, etc Reward for all this job: - FTG' s resources saving - better logs - better signal/noise ratio to understand your particular network traffic regards

my 2 cents... I' ve never liked the idea of predefined IPS rule sets. You never know what the FGT will be checking or not checking until you look up the predefined rule. In the same amount of time I can create a new rule, put in all signatures for traffic I allow (which mainly is http, ssh, mail) which are marked " client" and let go. IPS is very powerful and often the only means to stop nasty intruders. I' ve never known that so many websites try to do a HTTP SQL.Injection until I put in the IPS signature for it (OK, some false positives but enough real ones left). But the price for it is that you get a bit closer to it and at least set up your own list. You may reduce the signatures at any time afterwards. Just putting in the predefined list and never look at the logs afterwards will not do the job, even if hardware is a non-issue for you. The other idea is to rely on Application Control, which more or less is a super-set of IPS wrapped around rules. Fortinet has put some experience into the AppCtrl so that you don' t have to know the low-level details of the protocol. Try it out and see how easy it is and yet very effective.