Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2436
Views
0
Helpful
1
Replies

Confusion about File/Malware protection on FMC/FTD

m1xed0s
Spotlight
Spotlight

‎06-28-2019 08:58 AM - edited ‎02-21-2020 09:15 AM

I guess I have some main confusions related to the File/Malware inspection/protection feature on FMC/FTD:

 

1. From FMC Configuration Guide for File policies and advanced malware protection here: "A policy can include multiple rules. When you create the rules, ensure that no rule is "shadowed" by a previous rule.". What does the shadowed mean? So if I have two rules within one file policy: the first rule is configured with action detect file and pdf file category; the second one is configured with action block malware and pdf file category. Is this what guide reference as shadowed?

2. If true above, will the second file rule be skipped because first file rule matches the pdf already, similar like the order of operation in ACL?

3. If true in #2, why there is no sequence number associated with File rules within one file policy? I do not think the order of rules can be changed either...

4. What should I configure to inspect user internet return traffic for malware? I can easily define access rule for user internet outbound traffic with malware protection but will that rule only inspect the user initialized internet outbound traffic OR it will also inspect the corresponding return traffic from Internet? Trying to block user from downloading random Exe files on Internet...

 

Thanks,

/S

2 people had this problem
0 Helpful
1 Reply 1

FredrikW73
Level 1
Level 1

‎06-15-2021 08:29 AM

I am also interested in a response to this question.

 

According to three different books about Firepower, the order of the rules is not important.

Also this quote from the Admin Guide implies this;

 

"A file policy will likely contain multiple rules with different actions for different situations. If more than one
rule can apply to a particular situation, the evaluation order described in this topic applies. In general, simple
blocking takes precedence over malware inspection and blocking, which takes precedence over simple detection
and logging.
The order of precedence of file-rule actions is:
• Block Files
• Block Malware
• Malware Cloud Lookup
• Detect Files"

 

If I have two overlapping rules with different actions, will both be executed (in the precedence order stated above)

or will just the one with highest order of precedence be executed?

 

Also what does "shadowing" mean in this case and why is it important to avoid it considering the order of precedence?

 

I we take the example from the original post what happens below?

One rule indicates that a file type should be detected

An other rule indicates that the same file type should be blocked if malware is found.

Is both detection and malware lookup events generated for each such file?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card