06-28-2019 08:58 AM - edited 02-21-2020 09:15 AM
I guess I have some main confusions related to the File/Malware inspection/protection feature on FMC/FTD:
1. From FMC Configuration Guide for File policies and advanced malware protection here: "A policy can include multiple rules. When you create the rules, ensure that no rule is "shadowed" by a previous rule.". What does the shadowed mean? So if I have two rules within one file policy: the first rule is configured with action detect file and pdf file category; the second one is configured with action block malware and pdf file category. Is this what guide reference as shadowed?
2. If true above, will the second file rule be skipped because first file rule matches the pdf already, similar like the order of operation in ACL?
3. If true in #2, why there is no sequence number associated with File rules within one file policy? I do not think the order of rules can be changed either...
4. What should I configure to inspect user internet return traffic for malware? I can easily define access rule for user internet outbound traffic with malware protection but will that rule only inspect the user initialized internet outbound traffic OR it will also inspect the corresponding return traffic from Internet? Trying to block user from downloading random Exe files on Internet...
Thanks,
/S
06-15-2021 08:29 AM
I am also interested in a response to this question.
According to three different books about Firepower, the order of the rules is not important.
Also this quote from the Admin Guide implies this;
"A file policy will likely contain multiple rules with different actions for different situations. If more than one
rule can apply to a particular situation, the evaluation order described in this topic applies. In general, simple
blocking takes precedence over malware inspection and blocking, which takes precedence over simple detection
and logging.
The order of precedence of file-rule actions is:
• Block Files
• Block Malware
• Malware Cloud Lookup
• Detect Files"
If I have two overlapping rules with different actions, will both be executed (in the precedence order stated above)
or will just the one with highest order of precedence be executed?
Also what does "shadowing" mean in this case and why is it important to avoid it considering the order of precedence?
I we take the example from the original post what happens below?
One rule indicates that a file type should be detected
An other rule indicates that the same file type should be blocked if malware is found.
Is both detection and malware lookup events generated for each such file?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide