Troubleshoot Intrusion Prevention System

What are my IPS policy options?

Every onboarded device is automatically associated a CDO-provided IPS policy called "Default Overrides". CDO generates a new IPS policy for every FDM-managed device, so there may be multiple policies with this name. If you want to use the default IPs policy but modify the signature overrides options, see Firepower Intrusion Policy Signature Overrides for more information. Note that configuring different signature overrides per device may cause the default overrides policy to become inconsistent.

How do I have a different IPS policy for every device?

CDO generates a new IPS policy for every FDM-managed device, so there may be multiple policies with this name. You do not have to rename the CDO-provided IPS policy after each device is onboarded. Expanding the policy displays the devices that are associated with it, and you can also filter the threat events page and the signature overrides page per device or policy. To customize the default overrides policy, configure signature overrides per device. This will cause the default overrides intrusions policy to become inconsistent, but this does not inhibit any functionality.

I onboarded a device that has an override configured from FDM.

Overrides that are configured outside of CDO do not pose an issue to device configuration or functionality.

If you onboard a device that has an override already configured and this new device shares an IPs policy with a device that does not have an override, the IPS policy will be displayed as inconsistent. See Step 3 in Firepower Intrusion Policy Signature Overrides to address inconsistencies.