topic Re: Firepower file inspection/malware detection rule placement in Network Security

Firepower file inspection/malware detection rule placement

willb1 — Wed, 24 Jul 2024 19:43:11 GMT

I'm confused as to where to place this rule. From my understanding, there should be an allow rule with the File Policy configured to use the associated Malware & File policy. However, the rest of the configuration of that rule is set to allow any any.

There are other allow and block rules in the policy with the policy default action set to block all traffic. The last rule in the ACP is to allow all traffic outbound and inspect.

With that in mind, where should the file inspection policy be placed?

Re: Firepower file inspection/malware detection rule placement

ccieexpert — Wed, 24 Jul 2024 20:05:40 GMT

File/malware policy is applied to a regular access control rule .

The most important would be for inbound to oubound rules like users browsing to a website and downloading files etc which can be inspected for malware..

But keep in mind that 90% or above is encrypted, so unless you are doing ssl decryption, the malware inspection will not kick in..

Re: Firepower file inspection/malware detection rule placement

willb1 — Wed, 24 Jul 2024 20:18:12 GMT

Gotcha. Thank you!

Re: Firepower file inspection/malware detection rule placement

MHM Cisco World — Thu, 25 Jul 2024 11:53:46 GMT

do you want other opinion here ?

MHM

Re: Firepower file inspection/malware detection rule placement

willb1 — Thu, 25 Jul 2024 11:56:06 GMT

Absolutely

Re: Firepower file inspection/malware detection rule placement

MHM Cisco World — Thu, 25 Jul 2024 12:13:29 GMT

Re: Firepower file inspection/malware detection rule placement

willb1 — Thu, 25 Jul 2024 12:19:47 GMT

Thank you, that's very helpful! I located that PDF and will review it.

Re: Firepower file inspection/malware detection rule placement

MHM Cisco World — Thu, 25 Jul 2024 12:23:30 GMT

you are so welcome
MHM