04-11-2018 02:02 AM - edited 03-08-2019 05:47 PM
Hello, we have configured the Antimalware policy to block malware, but when we do a test of antimalware test download from the below site, it gives an option to save the file in internet explorer, the antimalware is not blocking. it should not give an option to save.
04-11-2018 02:38 AM
04-11-2018 02:41 AM
04-11-2018 11:48 PM
04-11-2018 11:50 PM
Network AMP
04-15-2018 02:42 AM
04-16-2018 02:46 AM
Hi Edwin,
The rule looks correct. I would suggest to check the connection events first to find which rule the traffic is hitting on the firepower.
Check analysis>events>connections and table view of connections and search for your test client IP.
See if it actually hits the AMPPOLICY rule or no.
If it hits that, then please make sure you download the test malware using http connection and not https.
https require SSL decryption. You can also create a test rule to block something (like URL or IP) to check if it actually works. If its ASA with SFR module, check if the module(service -policy) is configured in inline mode or passive (monitor-only)
Hope it helps,
Yogesh
04-16-2018 05:31 AM
the config is inline mode as below
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
class sfr
sfr fail-open
!
04-17-2018 01:37 AM
Config seems correct from ASA redirection point of view. Please check the firewall-engine-debug from CLI or connection events and find which rule the traffic hits.
04-17-2018 02:48 AM
04-17-2018 04:13 AM
Hi
I would suggest to open TAC case for further investigation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide