Some times ago I configured IPS to scan after.
I don't know if I misunderstood the wiki or if it should be phrased differently.

In Config->Network->Advanced->Access Rules I've got the usual Block All as last rule after some Non-WAN rules. And I verified that from the Internet the traffic is dropped as I don't receive any RST. Fine.

Now, I'd expect IPS not to show all the logs about inbound traffic that has a destination on the IP address of my WAN, as it is already blocked by Access Rules iptables. Unless, the network processing refers to that made by Apps and not the local one.

The wiki says: "The advantage of this mode is that IPS will only scan/log on traffic that is actually entering your network and therefore ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall".

My logs are full of that standard noise about traffic that is dropped anyway. Please note that this is not an issue, I'm just asking out of curiosity: I've already trimmed the rules to what I really want to log.