For best system performance, TippingPoint recommends that you use Global Category Settings and the "Recommended" action set for all DV filters. Adjusting a whole category action set does not count toward the Filter Override count since Category based action sets are handled differently than filter based action sets.
However, in some cases, you may need to override individual filters due to specific network requirements. In that case best practice is to configure the IPS with the least number of filter overrides.
For example: If you wanted every Vulnerability filter configured to Block + Notify except for 5 that needed to be set to "Recommended" it would be much better practice to change the Vulnerabilities category setting to Block + Notify and override five filters to "Recommended" rather than override over 1000 filters to Block + Notify. It is important to note that filter overrides are specific to each network port and direction.
In other words, if you distribute a profile with filter overrides you are multiplying the number of filter overrides by the number of network ports by the number of directions you are distributing to. E.g. If you distribute a security profile with 1,000 filter overrides to an IPS with 8 network ports on both directions, the total number of filter overrides on the device will be 16,000.
Note 1: Once a filter has been customized, it is not affected by the global Category Settings that specify the filter State and Action.
Note 2: Profiles that are stored on the IPS, even if they are not actively being used, will count towards the Filter Override limit. This is because the filter table is a global table for the entire device. All filter overrides from all profiles on the device are combined into this table and used globally for traffic triggering. The recommendation would be to remove any unused profiles from the IPS, tune the profile where possible, and then attempt distribution again.
Note 3: Often, these errors come with isValid errors in the logs. Clear those prior to working through workarounds for the override limits.
Workaround Filter Overrides
- Use Category settings as much as possible and when required, make large scale changes at the Category level, then fine tune with filter based overrides.
- Policies with multiple overrides should only be sent to ONE segment. If any segments in your IPS are not in use, create a segment group (e.g. "unused segments") and add the unused segments into this group. This way when you distribute a profile to the device you can push it only to the segments that are being used, reducing the total number of filter overrides.
- Use the compare feature of the SMS to identify profiles that are similar and combine them to reduce the overall number of profiles and overrides. This will also make profile updates simpler in the future.