Hi, thanks for the reply. From my understanding is that since we are using a single access control policy for multiple 3D appliances with inline deployment in different data center, and each of these IPS are also inspecting different type of traffic, for example MPLS WAN traffic, VPN traffic (intercept at the point after decryption), and also Internet facing DMZ.

Since these different traffic they will have different definition of HOME_NET and EXTERNAL_NET, the setup is to use different variable set for different intercept point for higher accuracy, doe to the fact that some of the SNORT rules are being written to utilize the variable set for detection.

My question is that, for example we have a rule inspect the a zone pair "internal" and "external", if only inspect a single direction like source zone "internal" and destination zone "external", so if there are intrusion event from "external" to "internal" it will still pickup by the default action? Currently we are using the same intrusion policy as other rules.

If I was told to do this setup in a single Access Control Rule I would make sure to have the appropriate security zones set up, to differentiate pr. access rule which Variable Set is used. 

The Default Action has its own Variable Set, so this "generic" variables will not fit your needs for the zoning. I will recomment that you have both "Internal" to "External" and "External" to "Internal" rules setup, with the correct Variable Sets. :) 

Appreciate with your input, thanks!