| Description | This article describes the IPS inspection sequence. |
| Scope | |
| Solution |
When the IPS engine compares traffic with the signatures in each filter, order matters.
- The rules are similar to firewall policy matching; the engine evaluates the filters and signatures at the top of the list first, and applies the first match. The engine skips subsequent filters.
- So, position the most likely matching filters, or signatures, at the top of the list.
- Avoid making too many filters, because this increases evaluations and CPU usage.
- Also, avoid making very large signature groups in each filter, which increase RAM usage.
In the event of a false-positive outbreak, you can add the triggered signature as an individual signature and set the action to Monitor.
This allows to monitor the signature events using IPS logs, while investigating the false-positive issue.
 |
