1) The sensor will scan the traffic going across the physical port regardless of whether it is vlan tagged or trunked. If you would like to individually identify which vlan is triggering the alert you can configure a sub interface for each vlan, but this is not required.
2) You are correct that the rule-set of the policy determines the default options for blocking. If you use the default IDS policy the sensor is doing inspection and auditing/alerting only. If you choose default IPS then the sensor has recommended for safe blocking enabled and will block high confidence attacks.
You can create your own or clone one of the default if you wish, or use one of the defaults.
3) The 'block zone' is an overview that McAfee Labs uses to give a recommendation of what attacks should be blocked. The ruleset determines whether or not blocking is enabled by default for attacks that have the RFSB option.
thank for your answer. That is very helpful for me. But i still confuse , asume that IPS sensor doesn't block any traffic match Attack, but how about DoS/DDoS prevention, it automatically learning, after 48 hours, it changes to Detection and begin block traffic which is DoS Attack. Sothat, how to know when it block & configure to permit any any traffic. Because , I think DoS/DDoS prevention of Mcafee IPS sensor is automatically working without any configuration.
Please help me, thank a lot . I want to make surre because I am doing PoC IPS for my customer , but my customer's traffic is so complex, with many traffic type, many source address..