I am running an ASA5506 with Firepower and FMC 184.108.40.206, and have a question about how rules interact. Please pardon me if this has been asked and answered. I searched through the posts but did not see an answer.
My question is about inspecting the same traffic for both Intrusion AND File/Malware. If I create two rules (in one access control policy), one a file rule allowing all traffic for file inspection, and a second rule that allows all traffic for Intrusion inspection, it appears that only one is examining traffic.
If I put the intrusion rule above the file rule in the access control policy, all of the blocks shown in the Connection Events page are "Intrusion Blocks". If I put the file rule above the intrusion rule, all of the blocks are "File Blocks".
And if I put both the intrusion and file policies into one rule, I only ever see "Intrusion Blocks". My concern is that traffic is either being inspected for file/malware OR intrusion, but not both.
Is my concern unfounded, and if so, why do I not see a mix of block types?
It would really depend on the content of the packet. If the intrusion and file policy is in same access rule, file policy would be applied only after firepower inspects some portion of stream and calculates the SHA value of the file. If during that time, intrusion rule is able to determine something based on either header info or packet data info, it would be triggered before file policy calculates the SHA and validates if its malicious or not.
I would suggest to place the intrusion policy in IDS mode (disable drop when inline) for testing and use it in along with file policy rule.
So if I am understanding you correctly, BOTH Intrusion inspection AND Malware inspection will be performed on traffic with no Malware or Intrusion matches.
On the other hand, if traffic contains BOTH Malware AND an Intrusion signature, it may be dropped for one reason or the other, depending on which abnormality (Malware or Intrusion) is identified first.
My objective is to inspect all traffic for both Malware and Intrusion, and it sounds like that is indeed happening. Please correct me if I am wrong.