1 Reply Latest reply on Aug 25, 2015 1:30 PM by dmease729

    Rough idea required for processing overhead with system based PARs for HIPS

    dmease729

      Hi,

       

      Without going in to too much detail (I can provide sanitized details later on in this thread if required), to meet the policy assignment requirements in a current environment, along with requirements for controlled but efficient content update testing periods, we have ended up in a situation where all IPS rules policies are assigned via system-based Policy Assignment Rules.  We are in the middle of deployments, and the end state will result in HIPS running on approx. 2,500 systems (IPS module only).  I am aware that there is a processing overhead related to use of PARs, hence recommended restrictions when using DE/EEPC, however I was wondering if I could get some input on possible repercussions of this configuration.

       

      As said, I can provide further details if possible, for discussion purposes, but at present I am looking for a quick initial answer on this.

       

      Many thanks,

        • 1. Re: Rough idea required for processing overhead with system based PARs for HIPS
          dmease729

          I am guessing that the system based PARs will only be evaluated if a specific change was detected - as system based PARs are based on system tree location and tags, I am guessing a system based PAR would only be evaluated for a system in one of the two related situations (ie if a system changes system tree location, or the tags related to a system change).  If this is correct, then I would guess that system based PARs are fairly low overhead (with the exception perhaps being the initial creation of the PARs)?