Cisco Cisco Firepower Management Center 4000
33-10
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding and Creating File Policies
The policy has two access control rules, both of which use the Allow action and are associated with file
policies. The policy’s default action is also to allow traffic, but without file policy inspection. In this
scenario, traffic is handled as follows:
policies. The policy’s default action is also to allow traffic, but without file policy inspection. In this
scenario, traffic is handled as follows:
•
Traffic that matches
Rule 1
is inspected by
File Policy A
.
•
Traffic that does not match
Rule 1
is evaluated against
Rule 2
. Traffic that matches
Rule 2
is
inspected by
File Policy B
.
•
Traffic that does not match either rule is allowed; you cannot associate a file policy with the default
action.
action.
A file policy, like its parent access control policy, contains rules that determine how the system handles
files that match the conditions of each rule. You can configure separate file rules to take different actions
for different file types, application protocols, or directions of transfer.
files that match the conditions of each rule. You can configure separate file rules to take different actions
for different file types, application protocols, or directions of transfer.
Once a file matches a rule, the rule can:
•
allow or block files based on simple file type matching
•
block files based on Malware file disposition
•
store captured files to the device
•
submit captured files for dynamic analysis
In addition, the file policy can:
•
automatically treat a file as if it is clean or malware based on entries in the clean list or custom
detection list
detection list
•
treat a file as if it is malware if the file’s threat score exceeds a configurable threshold
You can associate a single file policy with an access control rule whose action is
Allow
,
Interactive Block
,
or
Interactive Block with reset
. The system then uses that file policy to inspect network traffic that meets
the conditions of the access control rule. By associating file policies with individual access control rules,
you have granular control over how you identify and block files transmitted on your network. In other
words, this association tells the system that before it passes traffic that matches an access control rule’s
conditions, you first want to inspect the traffic with a file policy.
you have granular control over how you identify and block files transmitted on your network. In other
words, this association tells the system that before it passes traffic that matches an access control rule’s
conditions, you first want to inspect the traffic with a file policy.