IPS Policy Overview
With the optional AIP-SSM module installed in the Security Appliance, detailed deep packet
inspection is available for traffic flows assigned to the IPS policy. The Security Appliance will
take a subset of the traffic flow on the firewall and send it to the AIP-SSM module for
inspection. This grants the Security Appliance greater efficiency with packet inspections and
will cause fewer false-positives due to only having to inspect a subset of the total traffic flow
in the Security Appliance. Like the inspect command, the AIP-SSM module will inspect both
the ingress and egress traffic flows assigned to it from a normal interface, but it is restricted
to the ingress traffic flows from the global interface. Use the ips command to assign the IPS
policy to a class map:
ips {inline | promiscuous} {fail-close | fail-open}