Intrusion Prevention Service (IPS) is based on signatures of network attacks. You must keep your signature database updated to secure your network from new threats. With the constant need for new signatures to detect emerging threats, you may occasionally see a false positive or false negative result.
A false positive is a legitimate application that is classified as a threat by IPS. To report a false positive, see Report an IPS False Positive.
A false negative is a real intrusion not correctly identified by IPS. If you identify an attack that was not stopped by IPS, see these following sections for troubleshooting procedures.
You can examine the IPS logs to understand which attack was identified when IPS takes an action:
Deny 1-Trusted 0-External tcp 10.0.1.2 198.51.100.2 55531 80 msg="ProxyDeny: HTTP Header IPS match" proxy_act="HTTP-Client.1" signature_id="1055396" severity="5" signature_name="WEB Cross-site Scripting -9" signature_cat="Web Attack" sig_vers="18.088" host="intext.nav-links.com" path="/util/intexteval.pl?action=startup" (HTTP-proxy-00)
In this example, the signature ID is 1055396.
You can use the EICAR test tool to confirm that IPS is enabled for the correct policy and that it can detect malware. To obtain this tool, see Eicar.org.
Inspect your Policies
IPS can be enabled on any policy. You can view IPS at a glance in the Policies section of the Intrusion Prevention configuration. You can also inspect any individual policy to confirm if IPS is enabled.
Intrusions within an HTTPS request may not be detected unless the policy for HTTPS is a proxy policy, and that HTTPS proxy policy has content inspection enabled.
Check Your IPS Exception List
If you have configured an IPS exception to bypass false positive results for an attack, in some cases legitimate examples of that attack will also be allowed. For information on how to examine and configure your exceptions, see Configure IPS Exceptions.