Firepower Block Reason Investigating

georgehewittuk1 — Mon, 13 Sep 2021 15:37:33 GMT

Hi All,

Just trying to troublehsoot & wanted to question if a file is blocked in this case it's an email with an attachment (we suspect it is between exchange & ESA) can we dig any deeper other than just seeing 'File Block' into what the attachment was/reasons etc?

We are using 6.6.4 & have malware policy enabled for the access-rule.

Also is there a way in whitelisting a file that maybe a false positive.

Thanks

Re: Firepower Block Reason Investigating

Marius Gunnerud — Mon, 13 Sep 2021 19:14:06 GMT

You should be able to configure the file policy to capture and store the file. Once the file is stored you will be able to download for further analysis. View the file at Analysis > Files > Captured Files.

As for allowing false positives, you can add the file to a "clean list"

topic Firepower Block Reason Investigating in Network Security

Firepower Block Reason Investigating

Re: Firepower Block Reason Investigating