When Defining Protected Hosts, in the IP Address field, should you enter the external and internal addresses? For example, we have a SMTPserver with an external address of 209.99.88.18, and an internal address of 10.10.1.15... Our Threat Response Server in on the internal network. It would seem the external address is needed, as that's what the external IDS sensor sensor reports.
By the way, this seems like the most excellent tool for ridding us of all the IDS "fluff" that occurs!