Re: FDM - setting up Variable Set and File Policies

ArielAR · ‎10-30-2025

Hi,

We have a set of FTDs and using FDM for management. Found some answer about the Variable Set being the feature not available in FDM. However, I am hoping that someone can recommend a smoother workaround to create it there besides the FlexConfig method. ---- We also would like to create a File Policy via the FDM that we can use for our ACPs as needed. We do have the required licenses enabled (IPS and Malware Defense), so are the essentials. However, we cannot seem to find a way to create a custom policy that will allow us to define it the way we are able to via and FMC that we also have for a different set of FTD. For example, select the type of files we would like to include (e.g. PDF, TXT). Speaking of the licenses, if we don't have internet access in the environment, does enabling the Malware License make any difference at all? Based on what we had read, it uses AMP cloud for file checks/dispositions, etc. Hence, it will not reach the AMP cloud to perform the task. How does the Malware License tie with the AMP Cloud in general? If it is enabled but there is no internet access, does FDM has a built in database that it can use for file checking, etc. If yes, how is it updated? At the moment, the only File policies available to us is "None", "Block Malware All", and "Malware Cloud Lookup - No Block". Looking forward to your recommendations and suggestions, and thank you so very much in advance.

nspasov · ‎11-10-2025

If you need an easy way to configure the items that you mentioned then using the centralized manager (FMC) is the way to go. For your 2nd question: If you want to have malware protection and analysis in an air-gapped environment, then you will need to consider private cloud appliance/s for Advanced Malware Protection and/or Malware Analytics.

Thank you for rating helpful posts!

Thank you for rating helpful posts!

ArielAR · ‎11-10-2025

Thank you for your reply, nspasov,
Understood on the answer for the first question. Following on the second question, about enabling of the Malware License, if we are in an air-gapped environment, does it make a a difference if we enable or or not? If enabled, what does it do, what feature does it enable, if anything at all? If we set it to "Block Malware All" and Malware License is enabled, does it mean it will evaluate and block any file that goes thru the traffic? What will it check against by default?

Marvin Rhoads · ‎11-10-2025

By default, Malware file analysis uses the Cisco cloud-based service. If you have an air-gapped environment, the service would not be available and the license (with associated file policy) would not be usable.

There is an option to run "AMP Private Cloud" on premises and integrate it into an FMC-managed deployment. However that is a separately licensed and deployed product. When used, it provides a subset of the cloud-based services.

nspasov · ‎11-11-2025

A few things to add to @Marvin Rhoads excellent answer:

The File Policy can be used to detect and control files transmission, which is independent from malware analysis and protection. E.g., Block PDFs
"Local Malware Analysis" does not require internet connectivity but as a result, its capabilities are limited.

These and more information is well captured in the configuration guide: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/network-malware-protection.html#concept_9CE3D1F1572541C695CE5C7682780311

Thank you for rating helpful posts!

Thank you for rating helpful posts!