Re: Cisco FTD Block Encrypted Archive failed

adnanbiek1 · ‎08-12-2023

Hi everyone.

I have problem with cisco FTD when i want to block encrypted or password archive files like RAR or ZIP.

I have configured FTD to block encrypted archive in AMP(File) Policy and attached to ACP but not working. all encrypted archives will pass through firewall. blocking file format in working. for example, when I block RAR file, it will be blocked but for encrypted not working.

thank so much for any advice or help through solving my problem.

marce1000 · ‎08-12-2023

- Make sure that you have enabled the "Inspect Archive Files" option in the Advanced tab of the AMP(File) Policy. This option must be enabled in order for the firewall to inspect encrypted archives.

Make sure that you have selected the "Block encrypted and uninspectable archive files" option in the Advanced tab of the AMP(File) Policy. This option will cause the firewall to block all encrypted archives, even if they cannot be fully inspected.

Make sure that the AMP(File) Policy is attached to the appropriate Access Control Policy (ACP). The ACP must be applied to the traffic that is carrying the encrypted archives.

Make sure that the firewall has the necessary licenses for malware protection. Malware protection is required to block encrypted archives.

If you have checked all of these things and you are still having problems blocking encrypted archives, you can contact Cisco support for further assistance.

Here are some additional things to keep in mind when blocking encrypted archives on Cisco FTD:

Encrypted archives can be large, so it may take some time for the firewall to inspect them.

The firewall may not be able to fully inspect all encrypted archives. In these cases, the firewall will block the archive even if it does not contain malware.

You can use the "Store Files" option in the AMP(File) Policy to store encrypted archives on the firewall for further analysis. This can be helpful if you need to investigate a suspicious archive.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

adnanbiek1 · ‎08-13-2023

I had made the settings related to Inspect Archive Files and Block encrypted and uninspectable archive files. As you mentioned, this setting blocked almost all compressed files. On the other hand, when we remove the uninspectable archive files setting, the encrypted compressed files are not blocked by the firewall even though they are blocked in the policy. It seems that the firewall cannot detect that this file is encrypted. In addition, the firewall has both the Malware Protection license and the AMP Policy is set in ACP. Saving the compressed files that the firewall cannot check was a good way, but sending the file to the relevant user after the final check requires a lot of effort for the organization's IT team.You said that the firewall needs more time to check even though the compressed files may be large. Is it possible to set this time so that the firewall can check all compressed files?

Thank so much for your time

marce1000 · ‎08-13-2023

>... Is it possible to set this time so that the firewall can check all compressed files?
- I don't have any knowledge on that , you may want to ask TAC

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '