By defining "internal networks", you allow your IDS to identify which traffic is "IN" and which is "OUT", with regards to the direction. Given this information, you can create filters based on this data. If you specify 220.127.116.11/16 (in the form of "18.104.22.168 255.255.0.0" in IDM), any intrusion events to/from that network will be properly identified in the Event Viewer in the "Src" or "Dst" as "IN".
You can then create a filter to exclude any events if the source originates from "inside", etc.
I have found a bug in this configuration which I have not confirmed has been fixed. The bug used to include any configuration of internal networks that weren't a full Class A, B, or C. Example: if you configured an Internal Network of:
10.20.30.0 255.255.255.192 - it would not properly identify traffic from that network as being "IN". Only networks with full class masks were properly interpreted. Again, I have not confirm this bug has been resolved and I first noticed it somewhere around the S4 signature release dates.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...