Trusted Traffic Exclusions are available to help strike a balance between security and performance. To achieve this, Network Administrators can identify trusted traffic and fast-path the traffic through the Security Appliance without going through the resource-intensive and time-consuming deep inspection process. This allows the Security Appliance to focus resources on analyzing and inspecting untrusted traffic.
Note: This feature is available on MX’s with 18.2 and newer firmware.
How does it work?
Applications and IPs configured for Trusted Traffic Exclusions will take an accelerated forwarding path. This means that packets will be expedited through the processing and filtering of the following features:
Intrusion Prevention/Detection (IPS/IDS)
Advanced Malware Protection (AMP)
Secure Malware Analytics (formally Threat Grid)
Quick Start Guide
Note: Configuration changes for Trusted Traffic Exclusions are organization-wide, so changes will affect all networks within your organization.
Navigate to Security & SD-WAN > Threat Protection
Scroll down to the ‘Trusted Traffic Exclusions’ Section
Select any Trusted Traffic categories and/or configure an IP/subnet using CIDR notation
Traffic that matches the configured parameters will be exempt from inspection. You can choose from a curated list of traffic categories, and/or identify IP/subnet using CIDR notation.
Trusted Applications allows you to choose from a curated list of well-known applications. Applications are identified using Cisco’s next-gen traffic analytics engine, NBAR. For detailed information on NBAR please see this knowledge base article. To learn more about the different types of software included in each category, simply click on the "Show All" button within the respective category. Keep in mind that both the applications and categories may be updated in the future to enhance the selection of trusted applications.
Trusted IP Addresses/Subnets
Trusted IP Addresses/Subnets allows you to identify specific IPv4 or IPv6 addresses that should be fast-pathed. Each entry should only contain one IP address or Subnet. Fully Qualified Domain Names (FQDN) are not supported for Trusted Traffic Exclusions.