Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
183
Views
0
Helpful
2
Replies

FMC FastPath vs Trust with logging

Go to solution
davparker
Level 1
Level 1

‎06-11-2024 01:51 PM

Hello,
I'm trying to figure out a way to suppress logging to the FMC console for DNS_over_TCP & DNS_over_UDP from Umbrella VAs to the Umbrella public DNS servers. That traffic is cluttering the console. It is trusted and secure. I don't really want to send this through the inspections or SI. Initially I thought FastPath would do it, but traffic still exits the ACP policy for Internet_Allowed and gets logged. I tried adding a Allow rule for this traffic just above the Internet_Allowed rule with no inspection or logging, but traffic is still exiting the Internet_Allowed ACP rule. Next, I tried a Packet Tracer to see which rules are getting hit, but I seem to be unable to simulate DNS_over_TCP or DNS_over_UDP. Those port options don't exist. I'm running 7.2x

Any thoughts? David

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎06-11-2024 02:16 PM

I am a little unclear on the structure of your ACP, screenshots would be good.

However, placing the DNS rule in the prefilter policy and selecting fastpath (and not enabling logging) should achieve what you are trying to do.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎06-11-2024 02:16 PM

I am a little unclear on the structure of your ACP, screenshots would be good.

However, placing the DNS rule in the prefilter policy and selecting fastpath (and not enabling logging) should achieve what you are trying to do.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
davparker
Level 1
Level 1
In response to Marius Gunnerud

‎06-11-2024 02:38 PM

So, in the Prefilter Policy, instead of specifying ports DNS_over_TCP and UDP_over_TCP I specified tcp/443 & udp/443 for traffic between the Umbrella VAs and the Umbrella Public Servers. I guess I made an assumption that the predefined ports were for DNScrypt. Must not be the case...

Thanks - David

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card