cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2714
Views
0
Helpful
1
Replies

ASA with Firepower - Malware config best practice

dclee
Level 1
Level 1

Just recently went live with the new Sourcefire module on our prod ASA (5555X). That has gone well :)

We are licensed for the malware protection service as well.

Currently there is a file policy in place to "detect" all file categories.

Would like to enable malware protection and have it block at the edge...

My question is do I create another file policy rule below the detect rule and set the action for all file types to "block Malware" ?

Do I need to be concerned about the load on the SFR module if I do this for all file types ?

Is there anyway on the module to only detect Malware as a trial run before i decide to block it all ?

Any help would be appreciated.

Cheers


Dave

1 Reply 1

atatistc
Cisco Employee
Cisco Employee

Here are some things to consider.

First is the file detection giving you any actionable intel?  All it does is tell you the types of files flying around the network.  If you're not using these events then you might remove the detection rule.

You would probably do the malware detection in the same file policy.  File policy rules are "unordered" so it doesn't matter where they are on the list.  That being said they do have precedence.  For example, if you have a file rule that says "block pdfs" and another rule that says "perform malware detection on pdfs" these will conflict and the policy will tell you so. (you can't block pdfs and still check if they're malware)

As for file types you will get better performance if you don't need to select all the file types and protocols.  However we usually start with all of them and reduce if necessary later.

Yes you can do detect malware first and then block malware later.  These are checkboxes in the file policy rules.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: