Can you explain me what do "Watch IP" field? By documentation: "If you want to monitor specific hosts for signs of portscan activity, enter the host IP address in the Watch IP field", but by default all host (whitch hit in Access control rule with Intrusion Prevention policy) in my network monitored with portscan detection, or not?

I remember fields "Ignore scanners/scanned" but they are my "last resort". I will have to add so large number of hosts, that I find it easier to disable the signature at all.

I'm not sure that you are right about your assumptions with hitting the Access Control Policy. 

These settings are in the Network Analysis Policy, so I figure that they are global for all your $HOME_NET hosts, both ingress and egress. 

I would imagine that you only need to know when your hosts are being scanned from the outside. :)

You are right :) 

But "outside" for me is a global corporate network with a large number of legitimate users who connect to servers on LAN network. One client can establish up to 20 connections to 10 servers simultaneously. And such behavior is considered a violation by Firepower.
Maybe I can customize anyway Portscan detector to Alert when the user to establish 50 simultaneous connection , instead of 5-10, as now?

You might have a look at the Rate-Based Attack Prevention instead of the port scan detection. 

A combination of those might be what you need. :)

Ok, I will try this. Thank you!