topic Re: Cisco Firepower File Policy in Network Security

Cisco Firepower File Policy

ccna_security — Tue, 12 Mar 2019 11:19:01 GMT

Hi. I have just configured firepower file policy that is responsible for just detecting any file and block only encrypted archives when they pass through firepower.But when i send encrypted archive from one vlan to others it is either send or blocked that make the host get stuck for a while. Please see added screenshot that depicts my configuration. Please help me to resolve this problem.Moreover when the host freezes and needs restart, the blocked archives seen on logs.As if it is normally blocked.Please tell me where did i make mistake in the configuration. Thanks in advance

Re: Cisco Firepower File Policy

Sheraz.Salim — Thu, 10 Jan 2019 09:40:00 GMT

in diagram 1.PNG you have not select any file. all are uncheck. also you need to understand the flow of packet in Firewpower.

you doing decryption on the box too? please the the diagram it will help you to build your rule according to packet flow.

Re: Cisco Firepower File Policy

ccna_security — Thu, 10 Jan 2019 09:54:23 GMT

thanks for your prompt reply. In diagram 1.png i have selected all files. When i select one by one po the left side it adds all category (all file type)to the Selected file categories and Types. then check box on the left side get back to the default condition (unchecked)I hope i could make it clear to you.

I havent created decryption policy yet (SSL policyis none). So decrypting wont work. do you thing that encrypted files must pass through ssl plicy?

Thanks

Re: Cisco Firepower File Policy

Sheraz.Salim — Thu, 10 Jan 2019 10:14:07 GMT

check this link its explain in detail how file policy works

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Using_Intrusion_and_File_Policies.pdf

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper_Chapter_topic_here.pdf

Re: Cisco Firepower File Policy

ccna_security — Thu, 10 Jan 2019 12:06:54 GMT

thanks for the link you sent. One more thing i want to mention. The encrypted file that is sent is rar,zip archive file. i read all materials you send but it only teaches how to configure file policy. It also say that if you want to block encrypted archive in the network check "Block Encrypted Archives" box. So again it wont block archive or blocks it but make host get freezed.

Usually This problem occurs when users attemtp to take password protected rar,zip archive file from file server to their computers. then aforementioned problem occurs.

Please send me solution

Re: Cisco Firepower File Policy

Sheraz.Salim — Thu, 10 Jan 2019 13:06:23 GMT

could you please confirm that your File Policy is married to the ACP policy? Is the source and destination IP are in same subnet or in different subnet?

how about your default ACP rule is?

Re: Cisco Firepower File Policy

ccna_security — Thu, 10 Jan 2019 13:16:47 GMT

Well, i created file policy that was shown on previous conversation. then i applied that file policy to access rule show on attachement.Furthermore file server is in different subnet than my host computer. i mean both of them are not in the same subnet.

Re: Cisco Firepower File Policy

Sheraz.Salim — Thu, 10 Jan 2019 13:53:49 GMT

just read in cisco documentation.

Detect Files: This action detects a file trasfer and logs it as a file event without interruption the file transfer.

Tip: if you want to block a file, seclet the Rest Connecton option. it allows an application session to close before the connection time out by itself.

having said that, create your rule like this.

Re: Cisco Firepower File Policy

ccna_security — Thu, 10 Jan 2019 14:20:27 GMT

thanks so much for your help. i am about to solve the problem using your tips. i will try as u said. if any problem occurs i will turn u back . thank you

Re: Cisco Firepower File Policy

Sheraz.Salim — Thu, 10 Jan 2019 20:38:08 GMT

did you mange to solve the issue?

Re: Cisco Firepower File Policy

ccna_security — Fri, 11 Jan 2019 07:41:54 GMT

Hi. Unfortunately failed again. Lets explain what kind of task i am given exactly. I need to create a file policy that blocks malware for all types of files (included unencrypted archives). Actually it is easy enough. But the hard part of this task is to block only encrypted archives. If possible could you please create such policy on your firepower and send me screenshot?

Re: Cisco Firepower File Policy

Sheraz.Salim — Fri, 11 Jan 2019 10:53:02 GMT

Hi took me a long to read the documentation 🙂

In order for you to block the encrypted archievs you need a Dynamic Analysis check you will find this under Malware Cloud/Block malware. which make sense as the encrypted traffic sha256 will sent to cisco cloud to check the if the file is legitimate. on the other part you can not only block the encrypted files.

i have attach some attachment for your reference.

Re: Cisco Firepower File Policy

ccna_security — Fri, 11 Jan 2019 13:37:45 GMT

first of all i want to say that i really appreciate your assistement.Thanks so much.

I tried again but faild as usual:) please see the attachment i posted. Block Malware function for all type of files wont block password protected archive that has malware inside it. i have read several documentation about file policy but couldnt find any solution. When i send that archive file over different network it passes without inspecting or blocking.

I am beginner in this field that is why i have difficulty to solve the issue. I guess i have configured correctly but not sure that what makes the password protected archive file pass.

Do you have any idea?

Re: Cisco Firepower File Policy

ccna_security — Fri, 11 Jan 2019 13:39:30 GMT