Suspicious Activity Rules - utilization concerns?

[ChrisA]

Do suspicious activity rules bog down the system?

We're running R62, distributed environment. SmartCenter Server is SPLat; gateways are clustered Nokias.

We have a proxy server on our internal network that has more outbound access than desired, and we're pruning out the access that's definitely not needed (drop rules in SmartDashboard). For access that is questionable, I'd like to implement a couple of suspicious activity rules in SmartView Monitor, dropping and logging the sessions that we're not sure are needed. We cannot install policies during the day; they have to be scheduled a day in advance and can only be done after hours, so I need a way to open the access back up without installing a policy, if we discover the access is required for business purposes.

Does this sound like a good method? Any concerns/gotchas? Thanks All!