Thank you for the answer.
I will start from the end:
1. If my server was compromised from inside, the blocked ip that the server blocked would be an internal one as well (or am I wrong?).
2. Do you mean that if I have a policy rejecting all trafic from untrunst to trust, and at the same time some VIPS configured in my untrust interface, then it will still allow this traffic??? (the only other policy is from trust to untrust - allow, otherwise no other policies).
3. As mentioned in 2, the only active policies are:
a. Untrust - trust - reject (no nat in advance settings, nothing else configured there)
b. Trust - untrust - allow
c. Trust - trust (two internal subnets) - allow