cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2126
Views
0
Helpful
13
Replies

Cisco Firepower File Policy

ccna_security
Level 3
Level 3

Hi. I have just configured firepower file policy that is responsible for just detecting any file and block only encrypted archives when they pass through firepower.But when i send encrypted archive from one vlan to others it is either send or blocked that make the host get stuck for a while. Please see added screenshot that depicts my configuration. Please help me to resolve this problem.Moreover when the host freezes and needs restart, the blocked archives seen on logs.As if it is normally blocked.Please tell me where did i make mistake in the configuration. Thanks in advance

13 Replies 13

in diagram 1.PNG you have not select any file. all are uncheck. also you need to understand the flow of packet in Firewpower.

you doing decryption on the box too? please the the diagram it will help you to build your rule according to packet flow.

 

packet_flow.PNG

please do not forget to rate.

thanks for your prompt reply. In diagram 1.png i have selected all files. When i select one by one po the left side it adds all category (all file type)to the Selected file categories and Types. then check box on the left side get back to the default condition (unchecked)I hope i could make it clear to you.

 

I havent created decryption policy yet (SSL policyis none). So decrypting wont work. do you thing that encrypted files must pass through ssl plicy?

 

Thanks

thanks for the link you sent. One more thing i want to mention. The encrypted file that is sent is rar,zip archive file. i read all materials you send but it only teaches how to configure file policy. It also say that if you want to block encrypted archive in the network check "Block Encrypted Archives" box. So again it wont block archive or blocks it  but make host get freezed.

Usually This problem occurs when users attemtp to take password protected rar,zip archive file from file server to their computers. then aforementioned problem occurs. 

Please send me solution

could you please confirm that your File Policy is married to the ACP policy? Is the source and destination IP are in same subnet or in different subnet?

how about your default ACP rule is?

please do not forget to rate.

Well, i created file policy that was shown on previous conversation. then i applied that file policy to access rule show on attachement.Furthermore file server is in different subnet than my host computer.  i mean both of them are not in the same subnet.

just read in cisco documentation.

 

Detect Files: This action detects a file trasfer and logs it as a file event without interruption the file transfer.

 

Tip: if you want to block a file, seclet the Rest Connecton option. it allows an application session to close before the connection time out by itself.

 

 

having said that, create your rule like this.

 

File_policy.PNG

 

 

please do not forget to rate.

thanks so much for your help. i am about to solve the problem using your tips. i will try as u said. if any problem occurs i will turn u back . thank you

did you mange to solve the issue?

please do not forget to rate.

Hi. Unfortunately failed again. Lets explain what kind of task i am given exactly. I need to create a file policy that  blocks malware for all types of files (included unencrypted archives). Actually it is easy enough. But the hard part of this task is to block only encrypted archives. If possible could you please create such policy on your firepower and send me screenshot?

Hi took me a long to read the documentation :)

In order for you to block the encrypted archievs you need a Dynamic Analysis check you will find this under Malware Cloud/Block malware. which make sense as the encrypted traffic sha256 will sent to cisco cloud to check the if the file is legitimate. on the other part you can not only block the encrypted files.

 

i have attach some attachment for your reference.

3.PNG

 

3.2.PNG

3.3.PNG

 

3.4.PNG

3.5.PNG

please do not forget to rate.

first of all i want to say that i really appreciate your assistement.Thanks so much.

I tried again but faild as usual:) please see the attachment i posted. Block Malware function for all type of files wont block password protected archive that has malware inside it. i have read several documentation about file policy but couldnt find any solution. When i send that archive file over different network it passes without inspecting or blocking. 

I am beginner in this field that is why  i have difficulty to solve the issue. I guess i have configured correctly but not sure that what makes the password protected archive file pass.

 

Do you have any idea?

 

 
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: