This is what we see on most of our clients firewalls.


Looking at the graph indicators, I would assume the first graph I posted is more of what we want right?

Are there any KB articles on how to manage and decipher the IPS in untangle?

Here's another odd one

You need to have more information about what is being blocked to better diagnose it.

Go to Reports -> Intrusion Prevention -> Blocked Events

The category, classtype & msg will tell you a bit about what is being blocked. You can also see a "Rule Id" column - which corresponds to the rule in Intrusion Prevention that is blocking that traffic (count down the list from the top).

You can also reduce the # of blocks by switching Intrusion Prevention scanning to "After other network processing." so it doesn't have to scan things that would have otherwise been blocked anyways.

But it all boils down to your rules and what you set. Maybe share a screen shot of the rules tab in Intrusion Prevention

This video may help - youtube.com/watch?v=U711b0baBIg