Firesight Allow vs Trust

moody · ‎08-05-2016

Not understanding the difference for an Access Control Policy if let's say I 'Trust' the facebook application vs 'Allow' the facebook application. Is the only difference the ability to log?

Karsten Iwen · ‎08-05-2016

If you choose the action "Trust", you don't do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

Joshua Schroth · ‎05-08-2018

Good advice!

JohnDenver2135 · ‎09-03-2019

You would still have SSL inspection with trusting the traffic correct?

Marvin Rhoads · ‎09-06-2019

SSL inspection (and decryption) is processed prior to Access Control Policy (ACP) rules so - yes, it still applies when the ACP action is trust.

nspasov · ‎10-03-2019

Just to add to Karsten's answer: Trust rules are not subject to IPS, AVC and File inspection but are still subject to identity and QoS policies. If you want to completely skip all snort-based inspections then you can utilize pre-filter rules.

I hope this helps!

Thank you for rating helpful posts!

nspasov · ‎08-06-2016

To add to what Karsten said (+5 from me):

1. Use this feature when you don't want to tax your Firewall for traffic that does not need inspection. For instance, DB server on dmz_1 doing a backup to a backup server on dmz_2.

2. If you are running FirePOWER on the ASAs then instead of using "trust" you should exclude that type of traffic in your sfr redirection policy in the ASA directly.

I hope this helps!

Thank you for rating helpful posts!

Joshua Schroth · ‎05-08-2018

This is good advice depending on what you want to accomplish. If you still want to see that traffic in your FirePower Events then you do not want to exclude that traffic on the ASA via Access List. If you don't care about seeing that traffic in FirePower then by all means exclude within the SFR Redirect Access List. If you do want to see that traffic in FirePower, then mark the traffic as "trusted" so that the events will still be logged, but not processed by the IPS.

Sheraz.Salim · ‎11-17-2019

This interesting. Two week ago FMC was blocking a traffic from amazon cloud we host services on the cloud. in order to fix the issue i created a rule to trust the connection amazon public ip to our dmz server. even though the rule was trust but it was still getting to the default intrusion policy. now again to fix the issue i went to sort rules and disable the rule which was alerts us. my understanding is even trust does not actually trust the traffic and still apply the defaut IPS rules. unless mentioned above to create a access-list on ASA.

please do not forget to rate.

chrischurch · ‎12-02-2019

It is also worth bearing in mind that each Access Control policy has a setting in the Advanced tab for 'Intrusion Policy used before Access Control rule is determined' where packets are sent through this policy using the default variable set before an action from the access policy can be determined. So it's worth noting that if you change your default action after you create the access control policy, the default intrusion policy does not automatically change. To change it manually, use the access control policy’s advanced options.

miculp · ‎12-14-2019

Trust rules do "trust" the traffic. What you're seeing is due to a setting in the advanced tab of the access control policy. "Intrusion poolicy before Access Control rule is determined".

ajc · ‎02-04-2023

this is exactly my case, we need to transfer backup/replication data between 2 datacenters and looks like the trust rules would help me out with the single snort instance behavior that limits totalthroughput