Solved: Re: Firepower file inspection/malware detection rule placement

willb1 · ‎07-24-2024

I'm confused as to where to place this rule. From my understanding, there should be an allow rule with the File Policy configured to use the associated Malware & File policy. However, the rest of the configuration of that rule is set to allow any any.

There are other allow and block rules in the policy with the policy default action set to block all traffic. The last rule in the ACP is to allow all traffic outbound and inspect.

With that in mind, where should the file inspection policy be placed?

ccieexpert · ‎07-24-2024

File/malware policy is applied to a regular access control rule .

The most important would be for inbound to oubound rules like users browsing to a website and downloading files etc which can be inspected for malware..

But keep in mind that 90% or above is encrypted, so unless you are doing ssl decryption, the malware inspection will not kick in..

View solution in original post

ccieexpert · ‎07-24-2024

File/malware policy is applied to a regular access control rule .

The most important would be for inbound to oubound rules like users browsing to a website and downloading files etc which can be inspected for malware..

But keep in mind that 90% or above is encrypted, so unless you are doing ssl decryption, the malware inspection will not kick in..

willb1 · ‎07-24-2024

Gotcha. Thank you!

MHM Cisco World · ‎07-25-2024

do you want other opinion here ?

MHM

willb1 · ‎07-25-2024

Absolutely

MHM Cisco World · ‎07-25-2024

willb1 · ‎07-25-2024

Thank you, that's very helpful! I located that PDF and will review it.

MHM Cisco World · ‎07-25-2024

you are so welcome
MHM