I am also interested in a response to this question.
According to three different books about Firepower, the order of the rules is not important.
Also this quote from the Admin Guide implies this;
"A file policy will likely contain multiple rules with different actions for different situations. If more than one
rule can apply to a particular situation, the evaluation order described in this topic applies. In general, simple
blocking takes precedence over malware inspection and blocking, which takes precedence over simple detection
and logging.
The order of precedence of file-rule actions is:
• Block Files
• Block Malware
• Malware Cloud Lookup
• Detect Files"
If I have two overlapping rules with different actions, will both be executed (in the precedence order stated above)
or will just the one with highest order of precedence be executed?
Also what does "shadowing" mean in this case and why is it important to avoid it considering the order of precedence?
I we take the example from the original post what happens below?
One rule indicates that a file type should be detected
An other rule indicates that the same file type should be blocked if malware is found.
Is both detection and malware lookup events generated for each such file?