I am currently just trying to determine the best way to baseline the NSP while using it as an inline IPS. The desired outcome is to be able to baseline an inline IPS policy, but have blocking disabled globally, so that the actions are recorded but no blocking actually occurs until set to "Blocking" mode after a soak and configuration period.
Other products I have experience with have the option to utilize an IPS policy(with blocking enabled on signatures) but put it in a learning mode globally so that the blocks do not apply(however in the logs it will show that it would have been blocked if enabled)
I have only found a learning mode for the DOS portion of the NSP.
So far with the McAfee device I have only found the following way to semi-accomplish this behaviour:
1 - Create two duplicate policies, disable the blocking actions on one. Use this policy for your baseline period to ensure the IPS does not negatively impact the environment. Mirror any changes to this policy with the other duplicate that has blocking enabled. Once the baseline has been completed then switch over to the policy with blocking enabled. This would not be my ideal solution.
Is there a better way to accomplish this outcome?
you can do as you say or else apply default inline IDS policy which won't block anything and then move to default inline IPS.
Another solution would be either to use the sensors in TAP mode with a default inline IPS policy, where the attacks would be blocked but the traffic won't be affected as you are using taps, or you could use the sensors in SPAN mode with a default inline IPS policy, and once you are happy with the configuration of the policies move the sensors in inline mode.
Also on version 7 you have the command 'set ipssimulation (enableZdisable) which allows you to put the sensor in simulation mode so you could use a default inline IPS policy in simulation mode where nothing would be blocked either.