As part of Host Intrusion Prevention deployment, you need to identify a small number of distinct usage profiles and create policies for them. The best way to achieve this is to set up a test deployment, then begin reducing the number of false positives and generated events. This process is called tuning.
Stronger IPS rules, for example, offer more signatures that target a wider range of violations, and generate many more events than in a basic environment. If you apply advanced protection, we recommend using the IPS Protection policy to stagger the impact. This entails mapping each of the severity levels (High, Medium, Low, and Information) to a reaction (Prevent, Log, Ignore). By initially setting all severity reactions except High to Ignore, only the High severity signatures will be applied. The other levels can be raised incrementally as tuning progresses.
You can reduce the number of false positives by creating exception rules, trusted applications, and firewall rules. Exception rules are mechanisms for overriding a security policy in specific circumstances. Trusted applications are application processes that are always permissible. Firewall rules determine whether traffic is permissible, and either allow or block packet transmission.