Showing results for 
Search instead for 
Did you mean: 

Confusion about File/Malware protection on FMC/FTD

I guess I have some main confusions related to the File/Malware inspection/protection feature on FMC/FTD:


1. From FMC Configuration Guide for File policies and advanced malware protection here: "A policy can include multiple rules. When you create the rules, ensure that no rule is "shadowed" by a previous rule.". What does the shadowed mean? So if I have two rules within one file policy: the first rule is configured with action detect file and pdf file category; the second one is configured with action block malware and pdf file category. Is this what guide reference as shadowed?

2. If true above, will the second file rule be skipped because first file rule matches the pdf already, similar like the order of operation in ACL?

3. If true in #2, why there is no sequence number associated with File rules within one file policy? I do not think the order of rules can be changed either...

4. What should I configure to inspect user internet return traffic for malware? I can easily define access rule for user internet outbound traffic with malware protection but will that rule only inspect the user initialized internet outbound traffic OR it will also inspect the corresponding return traffic from Internet? Trying to block user from downloading random Exe files on Internet...