Our Host IPS (applications) catalog is jammed with thousands of multiple duplicate applications. This was apparently caused by our IPS policy being in Adaptive Mode for 2 years. (Don't blame me, this was set up by a contractor) . So now, we only use the Firewall, and have the IPS policy options off. however, when we do want to look at the applications in the IPS catalog for vetting a trusted application, it takes over 5 minutes before the we can resolve the search.
It would be nice if we could thin this out, but you can only delete one entry at a time, and every time you do it, the search tries to resolve again and it takes another 5 minutes.
I am thinking a way to clean this out might be similar to cleaning out the Firewall rules. In that policy we uncheck Retain Existing client rules, while also making sure the policy is not in adaptive mode. This clears out the database of all entries from systems that check in to this policy.
So possibly a similar strategy might work with HIPS, but unlike the Firewall, we don't currently have an effective HIPS policy to enforce. So, I'm thinking we would have to enable the policy by checking Host IPS Enabled , make sure Adaptive mode enabled is not checked, and Retain blocked hosts is not checked. I would then have the challenge of making this poicy transparent to users, and not actually blocking anything.
Feedback anyone? Would this even work? Is there any other way to do it?
Solved! Go to Solution.
Thanks. That did the trick. Not only for the HOST IPS catalog but also for accumulated Firewall client rules. Once again the forum solves my issue.