Cisco Cisco Firepower Management Center 4000

The policy has two access control rules, both of which use the Allow action and are associated with file 
policies. The policy’s default action is also to allow traffic, but without file policy inspection. In this 
scenario, traffic is handled as follows:

Traffic that matches 

Rule 1

 is inspected by 

File Policy A

.

Traffic that does not match 

Rule 1

 is evaluated against 

Rule 2

. Traffic that matches 

Rule 2

 is 

inspected by 

File Policy B

. 

Traffic that does not match either rule is allowed; you cannot associate a file policy with the default 
action.

A file policy, like its parent access control policy, contains rules that determine how the system handles 
files that match the conditions of each rule. You can configure separate file rules to take different actions 
for different file types, application protocols, or directions of transfer.

Once a file matches a rule, the rule can:

allow or block files based on simple file type matching 

block files based on Malware file disposition 

store captured files to the device

submit captured files for dynamic analysis 

In addition, the file policy can: 

automatically treat a file as if it is clean or malware based on entries in the clean list or custom 
detection list

treat a file as if it is malware if the file’s threat score exceeds a configurable threshold

You can associate a single file policy with an access control rule whose action is 

, 

, 

or 

. The system then uses that file policy to inspect network traffic that meets 

the conditions of the access control rule. By associating file policies with individual access control rules, 
you have granular control over how you identify and block files transmitted on your network. In other 
words, this association tells the system that before it passes traffic that matches an access control rule’s 
conditions, you first want to inspect the traffic with a file policy.