Does the IPS inspect *solicited* red traffic?

If only RED is enabled on the IPS and outgoing traffic from GREEN initiates a response from a remote site that matches an IPS rule, will the IPS still block the incoming traffic? Or does RED only filter UNsolicited inbound traffic?

As far as I understand it the IPs should scan everything that passes through red. So depending on the payload it would/could drop packets mid-connection too.

Thanks for the reply. It sounds like you’re not sure, though. I agree it seems like it should inspect solicited incoming traffic, but I’m not certain. Hoping a dev can chime in with an authoritative answer.


Hello Tim,

yes, it does analyse all traffic and the part that you call “solicited” is the most important part. On connections that don’t get established, there isn’t that much to investigate anyways.

For performance reasons, the IPS can switch itself off for certain connections like TLS tunnels, where there is nothing useful to be scanned any more to save resources.