Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
1
Replies

Malware & File Policy: Should I trust internal files?

DannyDulin
Level 1
Level 1

‎11-08-2023 06:47 AM

We are constantly receiving the Health Monitoring message "AMP for Network Status - Successfully connected to cloud. FTD1: Number of files detected in traffic exceeds module threshold.

We believe this is due to File Sharing between our hosts and our File Server behind our FW. Everytime a host opens a file; everytime that file is modified and saved etc., the Firepower sees the file as new and unknown and it sends the file up to AMP cloud for inspection.

This didn't begin to happen until we moved our File Servers behind the FW.

Has anyone experienced this?

Is it best practice to not apply Malware & File policy to traffic between our agency hosts and our agency FW?

 

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-08-2023 11:15 AM

You are usually much better off using endpoint detection and response (like Cisco Secure Endpoint, formerly known as AMP for Endpoints) to monitor internal hosts' file activity. Applying a file policy like you describe will indeed exceed the threshold when it's done in an "east-west" type of firewall setup such as you describe.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card