"
I've been networking since the early 80's (inc installation of the second DEC SEAL firewall on the Internet). I'm moving from a Watchguard M370 to an Deciso DEC3842 router/firewall at my home. I was pretty comfortable with the watchguard configuration but I currently find some of the OPNSense workflow a little confusing. I'm sure this will all pass with time. Anyway...
Searched this forum (lots of good info), but I have a simple question which I'm losing in the details...
- I chose several Rule Sets to download/enable for IPS, and
- Wrapped them in a single policy with "Action = Alert, Drop" -> "New Action = Alert"
I monitored the alerts for a while and now I want to "promote" a single rule set to "Drop" ("ET open/emerging scan")
Would it be best practice to remove that one ruleset from my "Alert" policy (priority 1) and then simply add it to a new "Drop" policy (priority 0)? I'm also guessing that a "DROP" action will also "Alert", right?
- As an alternative I see I can also click on the "Configured Action" and change it (from Alert to Drop) from an "Alert Info" dialog, would that be a preferred method (rather than creating a second policy)?
Searched this forum (lots of good info), but I have a simple question which I'm losing in the details...
- I chose several Rule Sets to download/enable for IPS, and
- Wrapped them in a single policy with "Action = Alert, Drop" -> "New Action = Alert"
I monitored the alerts for a while and now I want to "promote" a single rule set to "Drop" ("ET open/emerging scan")
Would it be best practice to remove that one ruleset from my "Alert" policy (priority 1) and then simply add it to a new "Drop" policy (priority 0)? I'm also guessing that a "DROP" action will also "Alert", right?
- As an alternative I see I can also click on the "Configured Action" and change it (from Alert to Drop) from an "Alert Info" dialog, would that be a preferred method (rather than creating a second policy)?
