Question & Answer
Question
What is the difference between the Allow and Ignore actions in the IPS Event Filter Policy on the QRadar Network Security (XGS) appliance?
Answer
The IPS event filters are designed to create a per signature exception for the configuration of a signature in the Intrusion Prevention Policy.
For example, if you have a signature that is enabled and configured for blocking within an Intrusion Prevention Policy and you want traffic from a specific source and destination to not trigger on this signature anymore, then you should use the Ignore option. This instructs the analysis engine to not create an event nor perform a block action on this traffic.
Using the Allow action in an event filter rule is similar to the Ignore action; however, an event is still created. The best use for the Allow action is if you still want to monitor if traffic is matching the signature, but you do not want to block the traffic.
For more information on the IPS Event Filter Policy, see the The IPS Event Filter policy documentation on IBM Knowledge Center.
For example, if you have a signature that is enabled and configured for blocking within an Intrusion Prevention Policy and you want traffic from a specific source and destination to not trigger on this signature anymore, then you should use the Ignore option. This instructs the analysis engine to not create an event nor perform a block action on this traffic.
Using the Allow action in an event filter rule is similar to the Ignore action; however, an event is still created. The best use for the Allow action is if you still want to monitor if traffic is matching the signature, but you do not want to block the traffic.
For more information on the IPS Event Filter Policy, see the The IPS Event Filter policy documentation on IBM Knowledge Center.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Intrusion Prevention Module (IPM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Intrusion Prevention Module (IPM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
24 January 2021
UID
swg21962048