cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
6116
Views
14
Helpful
7
Replies
Beginner

Firesight Allow vs Trust

Not understanding the difference for an Access Control Policy if let's say I 'Trust' the facebook application vs 'Allow' the facebook application.  Is the only difference the ability to log?

7 REPLIES 7
VIP Mentor

If you choose the action

If you choose the action "Trust", you don't do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

Beginner

Re: If you choose the action

Good advice!

Beginner

Re: If you choose the action

You would still have SSL inspection with trusting the traffic correct?
Highlighted
Hall of Fame Master

Re: If you choose the action

SSL inspection (and decryption) is processed prior to Access Control Policy (ACP) rules so - yes, it still applies when the ACP action is trust.

Cisco Employee

Re: If you choose the action

Just to add to Karsten's answer: Trust rules are not subject to IPS, AVC and File inspection but are still subject to identity and QoS policies. If you want to completely skip all snort-based inspections then you can utilize pre-filter rules. 

I hope this helps!

Thank you for rating helpful posts!

Cisco Employee

To add to what Karsten said (

To add to what Karsten said (+5 from me):

1. Use this feature when you don't want to tax your Firewall for traffic that does not need inspection. For instance, DB server on dmz_1 doing a backup to a backup server on dmz_2. 

2. If you are running FirePOWER on the ASAs then instead of using "trust" you should exclude that type of traffic in your sfr redirection policy in the ASA directly.

I hope this helps!

Thank you for rating helpful posts!

Beginner

Re: To add to what Karsten said (

This is good advice depending on what you want to accomplish. If you still want to see that traffic in your FirePower Events then you do not want to exclude that traffic on the ASA via Access List. If you don't care about seeing that traffic in FirePower then by all means exclude within the SFR Redirect Access List. If you do want to see that traffic in FirePower, then mark the traffic as "trusted" so that the events will still be logged, but not processed by the IPS.
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards