Deep Inspection Using File and Intrusion Policies

Deep inspection uses intrusion and file policies as the last line of defense before traffic is allowed to its destination.

• Intrusion policies govern the system’s intrusion prevention capabilities.

  For complete information, see Intrusion Detection and Prevention.

• File policies govern the system’s file control and malware defense capabilities.

  For complete information, see Network Malware Protection and File Policies.

Access control occurs before deep inspection; access control rules and the access control default action determine which traffic is inspected by intrusion and file policies.

By associating an intrusion or file policy with an access control rule, you are telling the system that before it passes traffic that matches the access control rule’s conditions, you first want to inspect the traffic with an intrusion policy, a file policy, or both.

In an access control policy, you can associate one intrusion policy with each Allow and Interactive Block rule, as well as with the default action. Every unique pair of intrusion policy and variable set counts as one policy.

To associate intrusion and file policies with an access control rule, see:

• Access Control Rule Configuration to Perform Intrusion Prevention

• Configuring an Access Control Rule to Perform Malware Protection

Note	By default, the system disables intrusion and file inspection of encrypted payloads. This helps reduce false positives and improve performance when an encrypted connection matches an access control rule that has intrusion and file inspection configured.