topic Re: To add to what Karsten said ( in Network Security

Firesight Allow vs Trust

moody — Sun, 10 Mar 2019 13:39:58 GMT

Not understanding the difference for an Access Control Policy if let's say I 'Trust' the facebook application vs 'Allow' the facebook application. Is the only difference the ability to log?

If you choose the action

Karsten Iwen — Fri, 05 Aug 2016 20:35:47 GMT

If you choose the action "Trust", you don't do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

To add to what Karsten said (

nspasov — Sat, 06 Aug 2016 22:00:38 GMT

To add to what Karsten said (+5 from me):

1. Use this feature when you don't want to tax your Firewall for traffic that does not need inspection. For instance, DB server on dmz_1 doing a backup to a backup server on dmz_2.

2. If you are running FirePOWER on the ASAs then instead of using "trust" you should exclude that type of traffic in your sfr redirection policy in the ASA directly.

I hope this helps!

Thank you for rating helpful posts!

Re: If you choose the action

Joshua Schroth — Tue, 08 May 2018 20:33:26 GMT

Good advice!

Re: To add to what Karsten said (

Joshua Schroth — Tue, 08 May 2018 20:33:57 GMT

This is good advice depending on what you want to accomplish. If you still want to see that traffic in your FirePower Events then you do not want to exclude that traffic on the ASA via Access List. If you don't care about seeing that traffic in FirePower then by all means exclude within the SFR Redirect Access List. If you do want to see that traffic in FirePower, then mark the traffic as "trusted" so that the events will still be logged, but not processed by the IPS.

Re: If you choose the action

JohnDenver2135 — Tue, 03 Sep 2019 16:08:11 GMT

You would still have SSL inspection with trusting the traffic correct?

Re: If you choose the action

Marvin Rhoads — Fri, 06 Sep 2019 14:26:59 GMT

SSL inspection (and decryption) is processed prior to Access Control Policy (ACP) rules so - yes, it still applies when the ACP action is trust.

Re: If you choose the action

nspasov — Thu, 03 Oct 2019 19:32:17 GMT

Just to add to Karsten's answer: Trust rules are not subject to IPS, AVC and File inspection but are still subject to identity and QoS policies. If you want to completely skip all snort-based inspections then you can utilize pre-filter rules.

I hope this helps!

Thank you for rating helpful posts!

Re: To add to what Karsten said (

Sheraz.Salim — Sun, 17 Nov 2019 22:50:48 GMT

This interesting. Two week ago FMC was blocking a traffic from amazon cloud we host services on the cloud. in order to fix the issue i created a rule to trust the connection amazon public ip to our dmz server. even though the rule was trust but it was still getting to the default intrusion policy. now again to fix the issue i went to sort rules and disable the rule which was alerts us. my understanding is even trust does not actually trust the traffic and still apply the defaut IPS rules. unless mentioned above to create a access-list on ASA.

Re: To add to what Karsten said (

chrischurch — Mon, 02 Dec 2019 15:42:46 GMT

It is also worth bearing in mind that each Access Control policy has a setting in the Advanced tab for 'Intrusion Policy used before Access Control rule is determined' where packets are sent through this policy using the default variable set before an action from the access policy can be determined. So it's worth noting that if you change your default action after you create the access control policy, the default intrusion policy does not automatically change. To change it manually, use the access control policy’s advanced options.

Re: To add to what Karsten said (

miculp — Sat, 14 Dec 2019 20:48:29 GMT

Trust rules do "trust" the traffic. What you're seeing is due to a setting in the advanced tab of the access control policy. "Intrusion poolicy before Access Control rule is determined".

Re: To add to what Karsten said (

ajc — Sat, 04 Feb 2023 19:01:31 GMT

this is exactly my case, we need to transfer backup/replication data between 2 datacenters and looks like the trust rules would help me out with the single snort instance behavior that limits totalthroughput