Maybe trust is too strong of a word...
I have an AS5516-X active/standby pair with the integrated FirePower SFR managed by a single FPMC VM. Everything is the latest version (as of this posting). Classic layout inside, outside, and DMZ. I send all IP traffic to the SFR for inspection with the standard policy map for all traffic flowing through the ASA.
I have several vulnerability scanners through out my network which generate an enormous amount of events in the FirePower console, which is to be expected. I'm looking for an easy way to either suppress or ignore traffic to and from those IP addresses. I wasn't sure if just white listing the IP was the recommended solution. Or if there is some other way to not completely ignore activity to and from those IP addresses.
I considered trying to ignore events based on classification, but that seemed a bit laborious...and I'd always be chasing the events. Also, it seems like you'd slowly end up ignoring all events.
I'd like to know what others have done in circumstances such as this.
For an ASA with Firepower service module you should exempt the traffic in the redirect ACL in the class-map / policy-map configuration that steers traffic to the service module. That's because "Prefiltering is supported on Firepower Threat Defense devices only. Prefilter configurations have no effect on other devices "
I agree with Marvin here, bypassing firepower all together is the best option here.