Best Practices for File Policy Configuration
You should consider the following best practices when you configure a file policy:
- When you want to block a file by using a file policy, use the Reset Connection option. It enables the application sessions to close before the connection times out by itself.
- You can use a threat defense to capture and store files that are detected by the threat defense. Avoid storing clean files because they can quickly fill up the storage. Store the files only when an offline forensic analysis is needed. If your incident response team wants to download a captured file from Secure Firewall to a local computer for advanced forensic analysis, take an extra precaution before the download. When a file is blocked and captured by a threat defense for its malicious activities, it indicates that the file might be infected with malware. To store a higher volume of files, Cisco offers a malware storage pack as an add-on.
- You can limit the size of files to capture. Keeping the file size limit lower is critical for optimal performance. The file size limit can be set in the access control policy advanced settings page. File size limits can impact the following activities:
- Sending files to the cloud for dynamic analysis
- Storing files locally
- Calculating the SHA-256 hash value of files
- In case of any communication issues between Secure Firewall and the Cisco cloud, the threat defense can hold the transfer of a file for a short period of time when the file matches a rule with the Block Malware action. Although this holding period is configurable, Cisco recommends that you use the default value of two seconds to mitigate latency due to long file disposition lookups.
Figure 16-5 displays the advanced settings of an access control policy where you can define the file holding period and file size limits.
Figure 16-5 Configuration of the File Holding Period and File Size Limits
Fulfilling Prerequisites
The following items are necessary for a successful file policy deployment:
- Make sure to install the appropriate licenses. With the installation of a threat license, a threat defense can control the transfer of files based on their types. In other words, if you are currently using the security intelligence and intrusion prevention features on your threat defense, you can control the file transfer based on file type without installing any additional licenses. However, to perform a malware analysis, the threat defense requires a malware license.
Figure 16-6 shows the actions and features you can enable by using the threat and malware licenses.
Figure 16-6 Actions on a File Rule and Their Necessary Licenses
Table 16-2 summarizes the differences between the capabilities of a threat license and a malware license.
Table 16-2 Differences Between a Threat License and a Malware License
When Only a Threat License Is Applied… | When a Malware License Is Also Applied… |
A threat defense can block a file based on its file type. | A threat defense can block a file based on its malware disposition. |
A threat defense utilizes the file’s magic numbers to determine the file type. | A threat defense matches malware signatures to perform local malware analysis. |
A threat defense does not require a connection to the cloud for file type detection. | A threat defense needs to connect to the cloud for various purposes—for example, to update the signature of the latest malware, to send a file to the cloud to perform dynamic file analysis, and to perform an SHA-256 lookup. |
You can apply only two rule actions: Detect Files and Block Files. | You can apply any rule actions available, including Malware Cloud Lookup and Block Malware. |
In short, to control the transfer of files based on file type, you need only a threat license. To perform malware analysis, you need a malware license in addition to the threat license.
- A file policy uses the adaptive profiles feature. Make sure the feature is enabled in the advanced settings of the access control policy (see Figure 16-7).
Figure 16-7 Option to Enable Adaptive Profile Updates
- Make sure the Enable Automatic Local Malware Detection Updates option is checked (see Figure 16-8). It enables the management center to communicate with the Talos cloud every 30 minutes for updates. When a new ruleset is available, the management center downloads it to enrich the local malware analysis engine.
Figure 16-8 Option to Enable the Automatic Local Malware Detection Updates
- A file policy leverages application detection functionality to determine whether an application is capable of transmitting a file. Make sure your network discovery policy is deployed and configured to discover applications. To learn about application detection and control, read Chapter 9, “Network Discovery Policy.”
Leave a Reply