03-29-2018 05:39 PM - edited 02-21-2020 07:34 AM
I am running an ASA5506 with Firepower and FMC 6.2.2.2, and have a question about how rules interact. Please pardon me if this has been asked and answered. I searched through the posts but did not see an answer.
My question is about inspecting the same traffic for both Intrusion AND File/Malware. If I create two rules (in one access control policy), one a file rule allowing all traffic for file inspection, and a second rule that allows all traffic for Intrusion inspection, it appears that only one is examining traffic.
If I put the intrusion rule above the file rule in the access control policy, all of the blocks shown in the Connection Events page are "Intrusion Blocks". If I put the file rule above the intrusion rule, all of the blocks are "File Blocks".
And if I put both the intrusion and file policies into one rule, I only ever see "Intrusion Blocks". My concern is that traffic is either being inspected for file/malware OR intrusion, but not both.
Is my concern unfounded, and if so, why do I not see a mix of block types?
Thanks, in advance for your help.
03-30-2018 01:24 AM
Hi Pat,
It would really depend on the content of the packet. If the intrusion and file policy is in same access rule, file policy would be applied only after firepower inspects some portion of stream and calculates the SHA value of the file. If during that time, intrusion rule is able to determine something based on either header info or packet data info, it would be triggered before file policy calculates the SHA and validates if its malicious or not.
I would suggest to place the intrusion policy in IDS mode (disable drop when inline) for testing and use it in along with file policy rule.
Hope that helps,
Yogesh
03-30-2018 08:40 AM
03-30-2018 08:47 AM
03-30-2018 11:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide