Moved provisionally to Next Generation Firewall for hopefully a faster response.
If I understood correctly, you wish to use 1065 appliance in layer 2 IPS role using it as IDS that is not inline in the traffic path (Stonesoft Next Generation Firewall Online Help). If appliance is currently installed as firewall, you'll need to do factory defaults reset so you can then select IPS role for the appliance when you reconfigure it. But before doing that verify that you have NGF-1065 appliance and not FWL-1065 as latter one will only allow running appliance in FW/VPN (L3) role. You can check this e.g. on License Center (McAfee | License Center) by using appliance POS code to login, and then checking whether appliance details talk about NGF 1065 or FWL 1065.
If appliance is NGF model, that supports all 3 roles (FW/VPN, IPS and L2FW), then you can do the factory defaults reset:
And reconfigure appliance in IPS role:
Hi Tero, thanks for reply. We do not want to use as an IPS, just need IDS functionality. The NGF needs to be L3, we was advised by a consultant we could "run IDS in L3 mode by simply enabling it". i cant find any option to do this, i am wondering if this is implicitly enabled by defining all rules with an inspection policy, would this in effect make it operate as an IDS? we could then at least monitor traffic flows from an IDS perspective?
an IDS means the device is not inline, and is attached to a TAP/SPAN interface so all traffic is mirrored by switch to particular interface on the NGFW. This requires configuring a Capture Interface on the NGFW, and that is only possible in IPS and L2FW roles.
Maybe by "run IDS in L3 mode by simply enabling it" they meant you can inspect traffic like and IDS/IPS in L3FW role too by just enabling deep inspection in the access rule. If by enabling IDS you mean you simple want to inspect some traffic, then enable Deep Inspection in the matching access rule (in Allow options). Then inspection is done as defined in the selected inspection policy, I'd recommend starting with e.g. the Medium-Security Inspection template and modifying it if needed.
Note that license defines what protocols may be inspected. NGF-1065 license mentioned by Tero can inspect all protocols also in L3FW role. FWL-1065 license only allows inspecting HTTP, HTTPS, SMTP, IMAP, POP3 and SIP (unless you had bought the full inspection feature pack).