Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
2
Helpful
17
Replies

FTD/FMC - Question about PREFILTER and ACP

babalao
Spotlight
Spotlight

‎01-25-2024 05:39 AM

Hello!

I have this confusion about FTD regarding actions in ACP and PREFILTER...

Starting from the idea that:
In ACP action Trust= bypass any inspection/snort and is permited
In ACP action allow= permit but is passed to inspection/snort for further analysis

Questions:
1- If my FTD does not do any inspection (has only Base license) what would be the difference between actions trust and allow in ACP?
I mean for example when I want to permit some traffic is it better to always use Trust or Allow?

2-what would be the difference between Action Trust in ACP and action FastPath in PREFILTER ? I mean both bypass the inspection and permits traffic.

I mean, If I do not use any inspection/snort/firepower , only L4 FW rules because I have only Base license for example is it better to only use PREFILTER rules and not using ACP at all?

I understand that PREFILTER uses much less resources than ACP. Is this true even if I not use any inspection in ACP?

Thank you in advance!
Regards.

0 Helpful
17 Replies 17

babalao
Spotlight
Spotlight

‎01-26-2024 01:37 PM

Hello,

so if for example I have hundreds of ACP rules witch action ALLOW (which I understand passes through snort), to lessen the system resources of the FTD, would be a good idea to migrate all this rules to PREFILTER with action FASTPATH ??

 

Thnak you!

0 Helpful

Marius Gunnerud
VIP
VIP
In response to babalao

‎01-27-2024 01:29 AM

This depends on your company's security policies and if they permit such a move.  I would not recommend moving ALL traffic to prefilter.  If anything I would suggest only moving traffic that flows between servers, MGMT traffic (I.E. syslog, SNMP, Netflow, etc).  traffic from clients should always be subject to inspection in SNORT. 

Also enable Elephant flow remediation if your FTD device supports it (not supported on FTD 2100 devices).  This will also help in reducing the strain on the FTD device.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP
In response to babalao

‎01-27-2024 01:59 AM

if you have firepower then making all traffic bypass Snort making FW dont have any rule to secure your network.
start classify your traffic 
so NO 
making all traffic fastpath not good idea 
thanks 
MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card