Without going in to too much detail (I can provide sanitized details later on in this thread if required), to meet the policy assignment requirements in a current environment, along with requirements for controlled but efficient content update testing periods, we have ended up in a situation where all IPS rules policies are assigned via system-based Policy Assignment Rules. We are in the middle of deployments, and the end state will result in HIPS running on approx. 2,500 systems (IPS module only). I am aware that there is a processing overhead related to use of PARs, hence recommended restrictions when using DE/EEPC, however I was wondering if I could get some input on possible repercussions of this configuration.
As said, I can provide further details if possible, for discussion purposes, but at present I am looking for a quick initial answer on this.
I am guessing that the system based PARs will only be evaluated if a specific change was detected - as system based PARs are based on system tree location and tags, I am guessing a system based PAR would only be evaluated for a system in one of the two related situations (ie if a system changes system tree location, or the tags related to a system change). If this is correct, then I would guess that system based PARs are fairly low overhead (with the exception perhaps being the initial creation of the PARs)?