Hello!

How to properly apply an IPS profile between internal networks? Let's say there are 50 policies between two zones and they look like this: srv1...srv5 -> srv6 and srv7 : port1 and port2. That is, there are no general rules with "all" in the destination in both server section or services section. Does this mean I have to create a suitable IPS profile and use this in all of those 50 rules (plus in hundreds of others that are between other zones)? And I can't simplify this with an additional rule having "all" because that would open traffic that I actually don't want to be open?

Another question is about IPS profile with port scanning detection. The DoS policy doesn't really work here because some servers just happen to do lots of traffic and if not now then maybe in the future. That's why I'm more interested in detecting port scanning with the IPS profile. But in this case, if I apply this profile in the before-mentioned 50 policies (and in hundreds of others) that specify ports then how does this really work? The policy allows port1 and port2 but if the port scanner avoids those two ports, the IPS profile won't detect port scanning? Just like before, I don't want to create a policy with destination:service=all:all because that would allow traffic I don't want to be allowed.

Now, if there is no such wider policy then I understand that no port scanning can actually take place because the policies are restrictive enough but in my case, the need for using a port scanning in IPS was to detect port scanning to detect possibly compromised sources, be they users or servers. Is this impossible with IPS profile then without making a unnecessarily wide rule of type all:all? Is this a fundamental limitation when using IPS? And this is so because IPS profiles can be used only on traffic policies and not like DoS policies or traffic shapers which are separated from traffic policies?