I've removed the duplicate post from Security Awareness - you should get an answer here in the HIP section.
The Trusted Networks policy is used for a few items:
- Used in a Firewall rule where Local/Remote Network object is set to TRUSTED.
- Network IPS exclusions if you enable the Trust for IPS (not necessary anymore for HIPS 8.0, since you can create Network IPS exceptions in the IPS Rules policy with the Remote IP Address parameter).
- Exclusions for the HIPS Firewall TrustedSource feature.
Going back to your comments, I'm trying to understand how your firewall rules are setup. With HIPS 8.0, you do not need to use the TRUSTED entry in the Local/Remote Networks; you can simply use the subnet/range entries as needed. In HIPS 7.0, the Trusted Networks policy was used to apply firewall rules to multiple IP address entries (single, range, CIDR entries), since a firewall rule could only have 1 entry; HIPS 8 allows mulitple entries now.
You could change the Firewall rules in each LAG to not use the Trusted Networks policy at all, so you don't have to set a different Trusted Networks policy for each group of system. Something like this (if I understand the functionality you're trying to implement correctly):
-- allow dns
-- allow dhcp
LAG1 - based on gateway 192.168.1.1
-- Allow ping from 192.168.2.0/24 & 192.168.3.0/24
LAG2 - based on gateway 192.168.2.1
-- Allow ping from 192.168.1.0/24 & 192.168.3.0/24
LAG3 - based on gateway 192.168.3.1
-- Allow ping from 192.168.1.0/24 & 192.168.2.0/24
-- Block ping
In the above, the Trusted Network policy is not used at all for the Firewall. You could also create Catalog Network objects for these networks as well, if you wanted (although not necessary).