Recently I had a funny e-mail correspondence with ISS support centre. The problem was that suddenly one of Proventia GX IPS stopped passing traffic through it. It was at least strange for me because that IPS have to be fail-open (i.e. pass traffic through when fails). I ran Provinfo (it's a special script that collects information about device's configuration and recent logs that should help support engineers to figure out what was the problem) and sent resulting archive...
... and received an answer: "I took a closer look at your ProvInfo and noticed that you have too many signatures enabled. I am afraid you will have to tune your policy.
At this moment, when you have a lot of traffic, the Proventia G will just be overwhelmed because he needs to check for too many signatures, attack and audit".
Well this proposal sounds to me so strange that I even can't find right words to comment it. In addition it should be mentioned that Proventia has something called 'software bypass' that allows it to pass traffic without analysis in case of high load and this can't case devise to go down.
Too Many Signatures Enabled
Too Many Signatures Enabled
