Does FTD always send traffic to Snort for inspection even I set None for the Intrusion Policy?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2020 08:12 AM
I could be wrong but I thought if I set the Intrusion policy within a particular Allow Access Control Rule as None, the FTD/Lina would not send traffic to snort for verdict...But if I do a packet tracer, it seems like FTD still send traffic to Snort...
So if the Action Allow would always send traffic to Snort,
1. What is the point of setting the intrusion policy as None?
2. If I want to completely bypass the Snort for particular traffic for whatever reason, I need to change the action from Allow to Trust within the Access Control rule? OR move the rule into Pre-filter?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2020 09:13 AM
Suggest to read the traffic flow : below URL explain how that works.
https://www.lammle.com/post/cisco-firepower-threat-defense-ftd-packet-flow/

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2020 10:21 AM
Thanks, I actually has the Cisco graph for the flow...
But using the doc you shared, quote "
- The packet is inspected by the Snort engine, if configured to do so; this can include SI, IPS, AMP, URL filtering among other inspections.
"
This is related to the first question I posted...
