Traffic to the box is pretty locked down by default. Just verify that you haven't opened up the management interface to the public Internet.
Traffic through the box is controlled by the various policies. If you have any inbound polices (allowing traffic to systems you host) then make sure they have an associated IPS policy. If you are allowing traffic inbound to servers using SSL/TLS then decrypt with the known key so that Firepower can do it's job inspecting the plaintext traffic. Finally, set your FMC to periodically check for and apply Firepower recommendations based on the passively observed traffic it sees.