OK, for IDS then, see below.
In general, you should carefully consider why you want to suppress a rule and only proceed if you have a thorough understanding of the implications.
Methods to Suppress IPS Rules:
1. Adjust Rule State in Intrusion Policy:
Navigate to the Intrusion Policy in the FMC. Locate the specific IPS rule you want to suppress.
Change the rule state to "Disabled" to stop processing the rule or "Generate Events" to only log events without blocking traffic.
Alternatively, you can set the rule to "Drop and Generate Events" to both drop the traffic and generate an event.
2. Create an Access Control Rule to Bypass Inspection:
Create a new access control rule that matches the traffic you want to bypass IPS inspection for.
Ensure the new rule is placed above the rule with the IPS policy configured.
Set the action of the new rule to "Trust" or "Allow" to bypass inspection.
3. Create a New IPS Policy with Disabled Rules:
Create a new IPS policy with the specific rules disabled for the traffic you want to exempt.
4. Create a new access control rule that references the new IPS policy.
Set the action of the new access control rule to "Allow".
Suppression and Thresholding:
You can configure suppression and thresholding for specific IPS rules to control the number of events generated.
This can help prevent the Firepower device from being overloaded with events during high-volume attacks.
You can configure suppression based on source or destination IP addresses or networks.
Thresholding allows you to define a limit on the number of events generated within a specific time interval.
