Skip to main content

 

 

Cisco Defense Orchestrator

File Policy Settings in a Firepower Threat Defense Access Control Rule

About File Policy Settings in an Access Control Rule

Use file policies to detect malicious software, or malware, using Advanced Malware Protection for Firepower (AMP for Firepower). You can also use file policies to perform file control, which allows control over all files of a specific type regardless of whether the files contain malware.

AMP for Firepower uses the AMP cloud to retrieve dispositions for possible malware detected in network traffic, and to obtain local malware analysis and file pre-classification updates. The management interface must have a path to the Internet to reach the AMP cloud and perform malware lookups. When the device detects an eligible file, it uses the file's SHA-256 hash value to query the AMP cloud for the file's disposition. The possible dispositions are:

  • Malware—The AMP cloud categorized the file as malware. An archive file (e.g. a zip file) is marked as malware if any file within it is malware.
  • Clean—The AMP cloud categorized the file as clean, containing no malware. An archive file is marked as clean if all files within it are clean.
  • Unknown—The AMP cloud has not assigned a disposition to the file yet. An archive file is marked as unknown if any file within it is unknown.
  • Unavailable—The system could not query the AMP cloud to determine the file's disposition. You may see a small percentage of events with this disposition; this is expected behavior. If you see a number of "unavailable" events in succession, ensure that the Internet connection for the management address is functioning correctly.

License and Action Requirements for File Policies 

Licenses-To add file policies to a rule, you need to enable two licenses on the Firepower Device Manager:

  • Threat license
  • Malware license

Rule action-You can configure file policies on rules that allow traffic only. Inspection is not performed on rules set to trust or block traffic. In addition, if the default action for the access control policy is allow, you can configure an intrusion policy but not a file policy.

Available File Policies for an Access Control Rule

  • None—Do not evaluate transmitted files for malware and do no file-specific blocking. Select this option for rules where file transmissions are trusted or where they are unlikely (or impossible), or for rules where you are confident your application or URL filtering adequately protects your network.
  • Block Malware All—Query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats.
  • Cloud Lookup All—Query the AMP cloud to obtain and log the disposition of files traversing your network while still allowing their transmission.
  • Block Office Document and PDF Upload, Block Malware Others—Block users from uploading Microsoft Office documents and PDFs. Additionally, query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats.
  • Block Office Documents Upload, Block Malware Others—Block users from uploading Microsoft Office documents. Additionally, query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats.

Related Topics