Rough idea required for processing overhead with system based PARs for HIPS
Without going in to too much detail (I can provide sanitized details later on in this thread if required), to meet the policy assignment requirements in a current environment, along with requirements for controlled but efficient content update testing periods, we have ended up in a situation where all IPS rules policies are assigned via system-based Policy Assignment Rules. We are in the middle of deployments, and the end state will result in HIPS running on approx. 2,500 systems (IPS module only). I am aware that there is a processing overhead related to use of PARs, hence recommended restrictions when using DE/EEPC, however I was wondering if I could get some input on possible repercussions of this configuration.
As said, I can provide further details if possible, for discussion purposes, but at present I am looking for a quick initial answer on this.
Re: Rough idea required for processing overhead with system based PARs for HIPS
I am guessing that the system based PARs will only be evaluated if a specific change was detected - as system based PARs are based on system tree location and tags, I am guessing a system based PAR would only be evaluated for a system in one of the two related situations (ie if a system changes system tree location, or the tags related to a system change). If this is correct, then I would guess that system based PARs are fairly low overhead (with the exception perhaps being the initial creation of the PARs)?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.