File Policies and Advanced Malware Protection - cisco.com · File Policies and Advanced Malware...

File Policies and Advanced Malware Protection

The following topics provide an overview of file control, file policies, file rules, AMP cloud connections,and dynamic analysis connections.

• About File Policies and Advanced Malware Protection, page 1

• File Control and Cisco AMP Basics, page 2

• File Policies, page 8

• File Rules, page 13

• Cloud Connections, page 18

• Collective Security Intelligence Communications Configuration, page 26

About File Policies and Advanced Malware ProtectionMalicious software, or malware, can enter your organization’s network via multiple routes. To help youidentify and mitigate the effects of malware, Advanced Malware Protection (AMP for Networks, formerlycalled AMP for Firepower) can detect, track, store, analyze, and optionally block the transmission of malwarein network traffic.

You configure AMP for Networks and file control (which allows control over all files of a specific typeregardless of whether the files contain malware) as part of your overall access control configuration. Filepolicies that you create and associate with access control rules handle network traffic that matches the rules.You can download files detected in that traffic and run local malware analysis to determine whether the filescontain malware. You can also submit files to the AMP Threat Grid cloud for dynamic analysis to determinewhether the files represent malware.

The system automatically enables file event, malware event, and captured file logging for active file policies.When a file policy generates a file or malware event, or captures a file, the system also automatically logs theend of the associated connection to the Firepower Management Center database.

File events generated by inspecting NetBIOS-ssn (SMB) traffic do not immediately generate connectionevents because the client and server establish a persistent connection. The system generates connectionevents after the client or server ends the session.

Note

Firepower Management Center Configuration Guide, Version 6.0 1

To further target your analysis, you can use a malware file’s network file trajectory page to track the spreadof an individual threat across hosts over time, allowing you to concentrate outbreak control and preventionefforts where most useful.

If your organization uses AMP for Endpoints, the system can import and display endpoint-based dataalongside any data gathered by AMP for Networks. Importing this data does not require a license.

Tip

If your organization requires additional security or wants to limit outside connections, you can use a CiscoAMP Private Cloud Virtual Appliance (AMPv). AMPv privately collects AMP for Endpoints events andforwards them to the Firepower Management Center.

File Control and Cisco AMP Basics

AMP for NetworksAMP for Networks allows you to detect, store, track, analyze, and block malware on your network usingmanaged devices deployed inline. AMP for Networks can block many types of malware files, including PDFsand Microsoft Office documents.

File Detection and Storage

With AMP for Networks, managed devices monitor network traffic for transmissions of certain file types.

When a device detects an eligible file, it sends the file's SHA-256 hash value to the Firepower ManagementCenter. The Firepower Management Center performs a malware cloud lookup, querying the AMP cloud forthe file's disposition. The device can also store an eligible file to its hard drive or malware storage pack usingthe file storage feature. You can view captured file information in the event viewer, and download a copy foroffline analysis.

File Analysis

The system applies several methods of file inspection and analysis to determine whether a file containsmalware.

Based on your configuration, you can either inspect a file the first time the system detects it, and wait fora cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result.

Note

Based on whether you enable the option in a file rule, the system inspects files in the following order:

Spero Analysis

If the file is an eligible executable file, the device can analyze the file's structure and submit the resultingSpero signature to the AMP Threat Grid cloud. The cloud uses this signature to determine if the filecontains malware.

Firepower Management Center Configuration Guide, Version 6.02

File Policies and Advanced Malware ProtectionFile Control and Cisco AMP Basics

Local Malware Analysis

Using a local malware inspection engine, the device examines an eligible file, blocks it if the file containsmalware and the file rule is configured to do so, and generates malware events.

The device also generates a file composition report detailing a file's properties, embedded objects, andpossible malware.

Dynamic Analysis

If the device preclassifies files as possible malware, it submits these files to the AMP Threat Grid cloudor an AMP Threat Grid on-premises appliance for dynamic analysis, regardless of whether the devicestores the file.

The AMP Threat Grid cloud or on-premises AMP Threat Grid appliance runs the file in a sandboxenvironment to determine whether the file is malicious, and returns a threat score that describes thelikelihood a file contains malware. From the threat score, you can view a dynamic analysis summaryreport that details why the cloud assigned the threat score.

File and Malware Events and Captured Files

Based on the file analysis results, you can review captured files and generated malware and file events fromthe event viewer. When available, you can examine a file's composition, disposition, threat score, and dynamicanalysis summary report for further insight into the malware analysis. You can also access the network filetrajectory, which displays a map of how the file traversed your network, passing among hosts, as well asvarious file properties.

Archive Files

The system can inspect up to three levels of nested files beneath the outermost archive file (level 0) if the fileis an archive (such as .zip or .rar archive files). You can inspect archive files as large as theMaximum filesize to store advanced access control setting.

If any individual file matches a file rule with a block action, the system blocks the entire archive, not just theindividual file. The system can also block archives that exceed a specified level of nesting, or whose contentsare encrypted or otherwise cannot be inspected.

File Tracking

If a file has a disposition in the AMP cloud that you know to be incorrect, you can add the file’s SHA-256value to a file list:

• To treat a file as if the AMP cloud assigned a clean disposition, add the file to the clean list.

• To treat a file as if the AMP cloud assigned a malware disposition, add the file to the custom detectionlist.

On subsequent detection, the device either allows or blocks the file without reevaluating the file's disposition.You can use the clean list or custom detection list per file policy.

You must configure a rule in the file policy to either perform a malware cloud lookup or block malwareon matching files to calculate a file's SHA-256 value.

Note


File Policies and Advanced Malware ProtectionAMP for Networks

Related Topics

File Lists

Malware DispositionsThe system determines file dispositions based on the disposition returned by the AMP cloud. To improveperformance, if the system already knows the disposition for a file based on its SHA-256 value, the FirepowerManagement Center uses the cached disposition rather than querying the AMP cloud. Based on its disposition,the system can block the file. If any nested file inside an archive file is blocked, the system blocks the entirearchive file.

A file can have one of the following file dispositions as a result of addition to a file list, or due to threat score:

• Malware indicates that the AMP cloud categorized the file as malware, local malware analysis identifiedmalware, or the file’s threat score exceeded the malware threshold defined in the file policy.

• Clean indicates that the AMP cloud categorized the file as clean, or that a user added the file to the cleanlist.

• Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a disposition;in other words, the AMP cloud has not categorized the file.

• Custom Detection indicates that a user added the file to the custom detection list.

• Unavailable indicates that the system could not query the AMP cloud. You may see a small percentageof events with this disposition; this is expected behavior.

Archive files have dispositions based on the dispositions assigned to the files inside the archive. All archivesthat contain identified malware files receive a disposition of Malware. Archives without identified malwarefiles receive a disposition of Unknown if they contain any unknown files, and a disposition of Clean if theycontain only clean files.

Table 1: Archive File Disposition by Contents

Number of Malware FilesNumber of Clean FilesNumber of Unknown FilesArchive File Disposition

0Any1 or moreUnknown

01 or more0Clean

1 or moreAnyAnyMalware

Archive files, like other files, may have dispositions of Custom Detection or Unavailable if the conditionsfor those dispositions apply.

If you see several Unavailablemalware events in quick succession, make sure the FirepowerManagementCenter can contact the AMP cloud.

Tip

Note that file dispositions can change. For example, the AMP cloud can determine that a file that was previouslythought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually


File Policies and Advanced Malware ProtectionAMP for Networks

fpmc-config-guide-v60_chapter_01010111.pdf#unique_434

clean. When the disposition changes for a file you queried in the last week, the AMP cloud notifies the systemso it can automatically take action the next time it detects that file being transmitted. A changed dispositionis called a retrospective disposition.

Dispositions returned from an AMP cloud query, associated threat scores, and dispositions assigned by localmalware analysis, have a time-to-live (TTL) value. After a disposition has been held for the duration specifiedin the TTL value without update, the system purges the cached information. Dispositions and associated threatscores have the following TTL values:

• Clean— 4 hours

• Unknown— 1 hour

• Malware— 1 hour

If a query against the cache identifies a cached disposition that timed out, the system re-queries the AMPcloud for a new disposition.

File Control without AMP for NetworksIf your organization wants to block not only the transmission of malware files, but all files of a specific type(regardless of whether the files contain malware), the file control feature allows you to cast a wider net. Aswith AMP for Networks, managed devices monitor network traffic for transmissions of specific file types,then either block or allow the file.

File control is supported for all file types where the system can detect malware, plus many additional filetypes. These file types are grouped into basic categories, including multimedia (swf, mp3), executables (exe,torrent), and PDFs. Note that file control, unlike AMP for Networks, does not require queries of the AMPcloud.

AMP for EndpointsAMP for Endpoints is Cisco’s enterprise-class Advanced Malware Protection solution that discovers,understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks. Thefollowing diagram details the general flow of information using AMP for Endpoints.

If your organization uses AMP for Endpoints, individual users install lightweight connectors on endpoints:computers and mobile devices. Connectors can inspect files upon upload, download, execution, open, copy,


File Policies and Advanced Malware ProtectionFile Control without AMP for Networks

move, and so on. These connectors communicate with the AMP cloud to determine if inspected files containmalware.

When a file is positively identified as malware, the AMP cloud sends the threat identification to the FirepowerManagement Center. The AMP cloud can also send other kinds of information to the Firepower ManagementCenter, including data on scans, quarantines, blocked executions, and cloud recalls. The FirepowerManagementCenter logs this information as malware events.

AMP for Endpoints can generate indications of compromise (IOC) when a host’s security may be compromised.The Firepower System can display this IOC information for its monitored hosts. Cisco occasionally developsnew IOC types for endpoint-based malware events, which the system automatically downloads.

With AMP for Endpoints, you can not only configure Management Center-initiated remediations and alertsbased on malware events, but you can also use the AMP for Endpoints management console help you mitigatethe effect of malware. The management console provides a robust, flexible web interface where you controlall aspects of your AMP for Endpoints deployment and manage all phases of an outbreak. You can:

• configure custommalware detection policies and profiles for your entire organization, as well as performflash and full scans on all your users’ files

• perform malware analysis, including view heat maps, detailed file information, network file trajectory,and threat root causes

• configure multiple aspects of outbreak control, including automatic quarantines, application blockingto stop non-quarantined executables from running, and exclusion lists

• create custom protections, block execution of certain applications based on group policy, and createcustom whitelists

For detailed information onAMP for Endpoints, see the AMP for Endpoints managementconsole.

Tip

AMP for Networks vs. AMP for EndpointsYou can use the Firepower System to work with data from both AMP for Networks and AMP for Endpoints.

Because AMP for Endpoints malware detection is performed at the endpoint at download or execution time,while managed devices detect malware in network traffic, the information in the two types of malware eventsis different. For example, endpoint-based malware events contain information on file path, invoking clientapplication, and so on, while malware detections in network traffic contain port, application protocol, andoriginating IP address information about the connection used to transmit the file.

As another example, for network-based malware events, user information represents the user most recentlylogged into the host where the malware was destined, as determined by network discovery. But AMP forEndpoints-reported users represent the user currently logged into the endpoint where the malware was detected.


File Policies and Advanced Malware ProtectionAMP for Networks vs. AMP for Endpoints

Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hostsas those monitored by AMP for Networks. For this reason, endpoint-based malware events do not addhosts to the network map. However, the system uses IP and MAC address data to tag monitored hostswith indications of compromise obtained from your AMP for Endpoints deployment. If two different hostsmonitored by different AMP solutions have the same IP and MAC address, the system can incorrectly tagmonitored hosts with AMP for Endpoints IOCs.

Note

The following table summarizes the differences between the two strategies.

Table 2: Network vs Endpoint-Based Advanced Malware Protection Strategies

AMP for EndpointsAMP for NetworksFeature

not supportedin network traffic, using access control and filepolicies

file type detection andblocking method (filecontrol)

on individual endpoints, using a connector thatcommunicates with the AMP cloud

in network traffic, using access control and filepolicies

malware detection andblocking method

none; connectors installed on endpoints directlyinspect files

traffic passing through a managed devicenetwork traffic inspected

all file typeslimited file typesmalware detection robustness

Management Center-based, plus additional optionson the AMP for Endpoints management console

Management Center-based, plus analysis in theAMP cloud

malware analysis choices

AMP for Endpoints-based quarantine and outbreakcontrol options, Management Center-initiatedremediations

malware blocking in network traffic,ManagementCenter-initiated remediations

malware mitigation

malware eventsfile events, captured files, malware events, andretrospective malware events

events generated

in-depth malware event information; noconnection data

basic malware event information, plus connectiondata (IP address, port, and application protocol)

information in malwareevents

Management Center-based, plus additional optionson the AMP for Endpoints management console

Management Center-basednetwork file trajectory

AMP for Endpoints subscription (notlicense-based)

licenses required to perform file control and AMPfor Networks

required licenses orsubscriptions


File Policies and Advanced Malware ProtectionAMP for Networks vs. AMP for Endpoints

File PoliciesA file policy is a set of configurations that the system uses to perform AMP for Networks and file control, aspart of your overall access control configuration. This association ensures that before the system passes a filein traffic that matches an access control rule’s conditions, it first inspects the file. Consider the followingdiagram of a simple access control policy in an inline deployment.

The policy has two access control rules, both of which use the Allow action and are associated with filepolicies. The policy’s default action is also to allow traffic, but without file policy inspection. In this scenario,traffic is handled as follows:

• Traffic that matches Rule 1 is inspected by File Policy A.

• Traffic that does not match Rule 1 is evaluated against Rule 2. Traffic that matches Rule 2 is inspectedby File Policy B.

• Traffic that does not match either rule is allowed; you cannot associate a file policy with the defaultaction.

You can associate a single file policy with an access control rule whose action is Allow, Interactive Block,or Interactive Block with reset. The system then uses that file policy to inspect network traffic that meetsthe conditions of the access control rule.

By associating different file policies with different access control rules, you have granular control over howyou identify and block files transmitted on your network. Note, however, that you cannot use a file policy toinspect traffic handled by the access control default action.

File Policy Advanced Configuration

Advanced File Inspection Configuration Notes

In a file policy, you can configure advanced options to block files on the custom detection list, allow files onthe clean list, and set a threshold threat score above which files are considered malware.


File Policies and Advanced Malware ProtectionFile Policies

You can also configure your file policy to inspect the contents of archive files, allowing you to analyze andblock archive files according to your organization’s needs. All features applicable to uncompressed files (suchas dynamic analysis and file storage) are available for nested files inside archive files.

Archive File Inspection Notes

Some archive files contain additional archive files (and so on). The level at which a file is nested is its archivefile depth. Note that the top-level archive file is not considered in the depth count; depth begins at 1 with thefirst nested file.

Although the system can only inspect up to 3 levels of nested archive files, you can configure your file policyto block archive files that exceed that depth (or a lower maximum depth that you specify). If you want torestrict nested archives further, you have the option to configure a lower maximum file depth of 2 or 1.

If you choose not to block files that exceed the maximum archive file depth of 3, when archive files thatcontain some extractable contents and some contents nested at a depth of 3 or greater appear in monitoredtraffic, the system examines and reports data only for the files it was able to inspect.

If traffic that contains an archive file is blacklisted or whitelisted by Security Intelligence, or if the top-levelarchive file’s SHA-256 value is on the custom detection list, the system does not inspect the contents ofthe archive file. If a nested file is blacklisted, the entire archive is blocked; however, if a nested file iswhitelisted, the archive is not automatically passed (depending on any other nested files and characteristics).

Note

If your file policy is configured to inspect archive file contents, you can use the event viewer context menuand the network file trajectory viewer to view information about the files inside an archive when the archivefile appears in a file event, malware event, or as a captured file.

All file contents of the archive are listed in table form, with a short summary of their relevant information:name, SHA-256 hash value, type, category, and archive depth. A network file trajectory icon appears by eachfile, which you can click to view further information about that specific file.

Note that you can only inspect archive files as large as theMaximum file size to store advanced accesscontrol setting.

File Policy Configuration Notes and Limitations

• For a new policy, the web interface indicates that the policy is not in use. If you are editing an in-usefile policy, the web interface tells you how many access control policies use the file policy. In eithercase, you can click the text to jump to the Access Control Policies page.

• For an access control policy using a file policy with BlockMalware rules for FTP, if you set the defaultaction to an intrusion policy with Drop when Inline disabled, the system generates events for detectedfiles or malware matching the rules, but does not drop the files. To block FTP file transfers and use anintrusion policy as the default action for the access control policy where you select the file policy, youmust select an intrusion policy with Drop when Inline enabled.


File Policies and Advanced Malware ProtectionFile Policy Advanced Configuration

Managing File PoliciesAccessSupported DomainsSupported DevicesClassic LicenseSmart License

Admin/AccessAdmin

AnyAnyProtection (filecontrol)

Malware (AMP forNetworks)

Threat (file control)


The File Policies page displays a list of existing file policies along with their last-modified dates. You canuse this page to manage your file policies.

In a multidomain deployment, the system displays policies created in the current domain, which you can edit.It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies createdin a lower domain, switch to that domain.

The system checks the AMP cloud for updates to the list of file types eligible for dynamic analysis (nomore than once a day). If the list of eligible file types changes, this constitutes a change in the file policy;any access control policy using the file policy is marked out-of-date if deployed to any devices. You mustdeploy policies before the updated file policy can take effect on the device.

Note

Procedure

Step 1 Select Policies > Access Control >Malware & File .Step 2 Manage your file policies:

• Compare—Click Compare Policies; see Comparing Policies.

• Create— To create a file policy, click New File Policy and proceed as described in Creating a FilePolicy, on page 11.

• Copy— To copy a file policy, click the copy icon ( ).

If a view icon ( ) appears instead, the configuration belongs to an ancestor domain, or you do not havepermission to modify the configuration.

• Delete— If you want to delete a file policy, click the delete icon ( ), then click Yes and OK asprompted.

If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permissionto modify the configuration.

• Deploy—Click Deploy; see Deploy Configuration Changes.

• Edit— If you want to modify an existing file policy, click the edit icon ( ).


File Policies and Advanced Malware ProtectionManaging File Policies



• Report—Click the report icon ( ); see Generating Current Policy Reports.

Creating a File Policy

AccessSupported DomainsSupported DevicesClassic LicenseSmart License

Admin/AccessAdmin





Procedure

Step 1 Select Policies > Access Control >Malware & File .

To make a copy of an existing file policy, click the copy icon ( ), then type a unique name for thenew policy in the dialog box that appears. You can then modify the copy.

Tip

Step 2 Click New File Policy.Step 3 Enter a Name and optional Description for your new policy.Step 4 Click Save.Step 5 Add one or more rules to the file policy as described in Creating File Rules, on page 17.Step 6 Optionally, select the Advanced tab and configure advanced options as described in Advanced and Archive

File Inspection Options, on page 11.Step 7 Save the file policy.

What to Do Next

• Add the file policy to an access control rule as described in Access Control Rule Configuration to PerformFile Control and Malware Protection.

• Deploy configuration changes; see Deploy Configuration Changes.

Advanced and Archive File Inspection Options

The Advanced tab in the file policy editor has the following general options:

• First Time File Analysis—Submit a file for file analysis that the system detects for the first time. Thefile must match a rule configured to perform a malware cloud lookup and Spero, local malware, ordynamic analysis. If you disable this option, files detected for the first time are marked with an Unknowndisposition.

• Enable Custom Detection List—Block files on the custom detection list.







• Enable Clean List—Allow files on the clean list.

•Mark files as malware based on dynamic analysis threat score—Set a threshold threat score; fileswith scores equal or worse than the threshold are considered malware.

If you select lower threshold values, you increase the number of files treated as malware. Depending onthe action selected in your file policy, this can result in an increase of blocked files.

The Advanced tab in the file policy editor has the following archive file inspection options:

• Inspect Archives—Enables inspection of the contents of archive files, for archive files as large as theMaximum file size to store advanced access control setting.

Enabling or disabling Inspect Archives restarts the Snort process when you deployconfiguration changes, temporarily interrupting traffic inspection.Whether traffic dropsduring this interruption or passes without further inspection depends on how the targetdevice handles traffic. See Snort® Restart Traffic Behavior for more information.

Caution

• Block Encrypted Archives—Blocks archive files that have encrypted contents.

• Block Uninspectable Archives—Blocks archive files with contents that the system is unable to inspectfor reasons other than encryption. This usually applies to corrupted files, or those that exceed yourspecified maximum archive depth.

•MaxArchive Depth—Blocks nested archive files that exceed the specified depth. The top-level archivefile is not considered in this count; depth begins at 1 with the first nested file .

Related Topics

Snort® Restart Scenarios

Editing a File Policy


Admin/AccessAdmin





Procedure

Step 1 Select Policies > Access Control >Malware & File .Step 2 Click the edit icon ( ) next to the file policy you want to edit. If a view icon ( ) appears instead, the

configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.Step 3 You have the following options:

• Add a file rule by selecting Add File Rule. For more information, see File Rules, on page 13.





• Edit an existing file rule by clicking the edit icon ( ) next to the rule you want to edit.

• Configure advanced options as described in Advanced and Archive File Inspection Options, on page11.

The file policy editor displays how many access control policies use the file policy you are currentlyediting. You can click the notification to display a list of the parent policies and, optionally, continueto the Access Control Policies page.

Note

What to Do Next


File RulesA file policy, like its parent access control policy, contains rules that determine how the system handles filesthat match the conditions of each rule. You can configure separate file rules to take different actions fordifferent file types, application protocols, or directions of transfer.

Once a file matches a rule, the rule can:

• allow or block files based on simple file type matching

• block files based on disposition

• store captured files to the device

• submit captured files for local malware, Spero, or dynamic analysis

In addition, the file policy can:

• automatically treat a file as if it is clean or malware based on entries in the clean list or custom detectionlist

• treat a file as if it is malware if the file’s threat score exceeds a configurable threshold

• inspect the contents of archive files (such as .zip or .rar)

• block archive files whose contents are encrypted, nested beyond a specified maximum archive depth,or otherwise uninspectable


File Policies and Advanced Malware ProtectionFile Rules


File Rule ComponentsTable 3: File Rule Components

DescriptionFile Rule Component

The system can detect and inspect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, andNetBIOS-ssn (SMB). Any, the default, detects files in HTTP, SMTP, IMAP, POP3, FTP, andNetBIOS-ssn (SMB) traffic. To improve performance, you can restrict file detection to only oneof those application protocols on a per-file rule basis.

application protocol

You can inspect incoming FTP, HTTP, IMAP, POP3, and NetBIOS-ssn (SMB) traffic fordownloaded files; you can inspect outgoing FTP, HTTP, SMTP, and NetBIOS-ssn (SMB) trafficfor uploaded files.

Use Any to detect files over multiple application protocols, regardless of whether usersare sending or receiving.

Tip

direction of transfer

The system can detect various types of files. These file types are grouped into basic categories,including multimedia (swf, mp3), executables (exe, torrent), and PDFs. You can configure filerules that detect individual file types, or on entire categories of file types.

For example, you could block all multimedia files, or just ShockWave Flash (swf) files. Or, youcould configure the system to alert you when a user downloads a BitTorrent (torrent) file.

For a list of file types the system can inspect, select Policies > Access Control > Malware &File, create a temporary new file policy, then click Add Rule. Select a file type category and thefile types that the system can inspect appear in the File Types list.

Frequently triggered file rules can affect system performance. For example, detectingmultimedia files in HTTP traffic (YouTube, for example, transmits significant Flashcontent) could generate an overwhelming number of events.

Note

file categories and types

A file rule’s action determines how the system handles traffic that matches the conditions of therule.

Depending on the selected action, you can configure whether the system stores the file or performsSpero, local malware, or dynamic analysis on a file. If you select a Block action, you can alsoconfigure whether the system also resets the blocked connection.

File rules are evaluated in rule-action, not numerical,order.

Note

file rule action

File Rule Actions and Evaluation OrderTo be effective, a file policy must contain one or more rules. File rules give you granular control over whichfile types you want to log, block, or scan for malware.

Each file rule has an associated action that determines how the system handles traffic that matches the conditionsof the rule. You can set separate rules within a file policy to take different actions for different file types,application protocols, or directions of transfer. Simple blocking takes precedence over malware inspectionand blocking, which takes precedence over simple detection and logging.


File Policies and Advanced Malware ProtectionFile Rule Components

The file rule actions are as follows, in rule-action order:

• Block Files rules allow you to block specific file types. You can configure options to reset the connectionwhen a file transfer is blocked, and store captured files to the managed device.

• Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query theAMP cloud to determine if files traversing your network contain malware, then block files that representthreats.

• Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network,while still allowing their transmission.

• Detect Files rules allow you to log the detection of specific file types to the database, while still allowingtheir transmission.

Selecting Detect Files or Block Files, enabling or disabling Store files in a Detect Files or Block Filesrule, or adding the first or removing the last file rule that combines theMalware Cloud Lookup or BlockMalware file rule action with an analysis option (Spero Analysis or MSEXE, Dynamic Analysis, orLocal Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts theSnort process when you deploy configuration changes, temporarily interrupting traffic inspection.Whethertraffic drops during this interruption or passes without further inspection depends on how the target devicehandles traffic. See Snort® Restart Traffic Behavior for more information.

Caution

Depending on the file rule action, you can configure options to reset the connection when a file transfer isblocked, store captured files to the managed device, locally analyze files for malware, submit captured filesto the AMP cloud for dynamic and Spero analysis, and store files that cannot be currently submitted to thecloud for later submission.

Table 4: File Rule Actions

Malware CloudLookup capable?

Detect Filescapable?

Block Malwarecapable?

Block Filescapable?

File Rule ActionOption

yes, you can submitexecutable files

noyes, you can submitexecutable files

noSpero Analysis forMSEXE

yes, you can submitexecutable files withUnknown filedispositions

noyes, you can submitexecutable files withUnknown filedispositions

noDynamic Analysis

yesnoyesnoCapacity Handling

yesnoyesnoLocal MalwareAnalysis

nonoyes (recommended)yes (recommended)Reset Connection

yes, you can storefile types matchingthe file dispositionsyou select

yes, you can storeall matching filetypes

yes, you can storefile types matchingthe file dispositionsyou select

yes, you can storeall matching filetypes

Store files


File Policies and Advanced Malware ProtectionFile Rule Actions and Evaluation Order


File Policy Notes and Limitations

File Rule Configuration Notes and Limitations• A rule configured to block files in a passive deployment does not block matching files. Because theconnection continues to transmit the file, if you configure the rule to log the beginning of the connection,you may see multiple events logged for this connection.

• If a file rule is configured with aMalware Cloud Lookup or BlockMalware action and the FirepowerManagement Center cannot establish connectivity with the AMP cloud, the system cannot perform anyconfigured rule action options until connectivity is restored.

• Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actionsto prevent blocked application sessions from remaining open until the TCP connection resets. If you donot reset connections, the client session will remain open until the TCP connection resets itself.

• If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured filesfor dynamic analysis. Doing so can negatively impact system performance.

• You cannot perform malware analysis on all file types detected by the system. After you select valuesfrom theApplication Protocol,Direction of Transfer, andAction drop-down lists, the system constrainsthe list of file types.

File Detection Notes and Limitations• If a file matches a rule with an application protocol condition, file event generation occurs after thesystem successfully identifies a file’s application protocol. Unidentified files do not generate file events.

• FTP transfers commands and data over different channels. In a passive or inline tap mode deployment,the traffic from an FTP data session and its control session may not be load-balanced to the same internalresource.

• If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session exceeds1024, file events from the session may not reflect the correct file names for files that were detected afterthe file name buffer filled.

•When transmitting text-based files over SMTP, somemail clients convert newlines to the CRLF newlinecharacter standard. Since Mac-based hosts use the carriage return (CR) character and Unix/Linux-basedhosts use the line feed (LF) character, newline conversion by the mail client can modify the size of thefile. Note that some mail clients default to newline conversion when processing an unrecognizable filetype.

File Blocking Notes and Limitations• If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not beblocked by a Block Malware rule or the custom detection list. The system waits to block the file untilthe entire file has been received, as indicated by the end-of-file marker, and blocks the file after themarker is detected.


File Policies and Advanced Malware ProtectionFile Policy Notes and Limitations

• If the end-of-file marker for an FTP file transfer is transmitted separately from the final data segment,the marker will be blocked and the FTP client will indicate that the file transfer failed, but the file willactually completely transfer to disk.

• File rules with Block Files and Block Malware actions block automatic resumption of file downloadvia HTTP by blocking new sessions with the same file, URL, server, and client application detected for24 hours after the initial file transfer attempt occurs.

• In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble thetraffic correctly and therefore will not block it or generate a file event.

• If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with a Block Filesrule, you may see a file on the destination host. However, the file is unusable because it is blocked afterthe download starts, resulting in an incomplete file transfer.

• If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file transfer),the system does not inspect files transferred in an established TCP or SMB session started before youdeploy an access control policy invoking the file policy so those files will not be detected or blocked.

Creating File RulesAccessSupported DomainsSupported DevicesClassic LicenseSmart License

Admin/AccessAdmin





Selecting Detect Files or Block Files, enabling or disabling Store files in a Detect Files or Block Filesrule, or adding the first or removing the last file rule that combines theMalware Cloud Lookup or BlockMalware file rule action with an analyis option (Spero Analysis or MSEXE, Dynamic Analysis, orLocal Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts theSnort process when you deploy configuration changes, temporarily interrupting traffic inspection.Whethertraffic drops during this interruption or passes without further inspection depends on how the target devicehandles traffic. See Snort® Restart Traffic Behavior for more information.

Caution

Procedure

Step 1 In the file policy editor, click Add File Rule.Step 2 Select an Application Protocol and Direction of Transfer as described in File Rule Components, on page

14.Step 3 Select one or more File Types.

The file types you see depend on the selected application protocol, direction of transfer, and action.

You can filter the list of file types in the following ways:

• Select one or more File Type Categories, then click All types in selected Categories.


File Policies and Advanced Malware ProtectionCreating File Rules


• Search for a file type by its name or description. For example, type Windows in the Search name anddescription field to display a list of Microsoft Windows-specific files.

Hover your pointer over a file type to view itsdescription.

Tip

Step 4 Select a file rule Action as described in File Rule Actions and Evaluation Order, on page 14.Step 5 Depending on the action you selected, configure whether you want to:

• reset the connection after blocking the file

• store a matching file

• enable Spero analysis

• enable local malware analysis

• enable dynamic analysis and capacity handling

as described in File Rule Actions and Evaluation Order, on page 14.

Step 6 Click Add.Step 7 Click Save to save the policy.

What to Do Next


Related Topics

Snort® Restart Scenarios

Cloud ConnectionsThe Firepower System provides connections to the following public cloud-based servers to help you performCisco Advanced Malware Protection (AMP):

• AMP cloud—allows you to retrieve AMP for Networks malware dispositions and updates, and AMPfor Endpoints scan records, malware detections, quarantines, and indications of compromise (IOC)

• AMP Threat Grid cloud—allows you to submit eligible files for dynamic analysis, and retrieve threatscores and dynamic analysis reports

Depending on your organization's privacy or security needs, you can also deploy private cloud servers:

• An AMP Private Cloud Virtual Appliance (AMPv) acts as a compressed, on-premises AMP cloud.

• An AMP Threat Grid appliance acts as an on-premises AMP Threat Grid cloud that does not contactthe public AMP Threat Grid cloud.


File Policies and Advanced Malware ProtectionCloud Connections



AMP Cloud ConnectionsThe Advanced Malware Protection (AMP) cloud is a Cisco-hosted server that uses big data analytics andcontinuous analysis to help you detect and block malware on your network. Both Cisco AMP solutions usethe AMP cloud:

• AMP for Networks uses the AMP cloud to retrieve dispositions for possible malware detected in networktraffic by managed devices, and obtain local malware analysis and file pre-classification updates.

• AMP for Endpoints is Cisco’s enterprise-class AMP solution. Individual users install lightweightconnectors on their computers andmobile devices that communicate with the AMP cloud. The FirepowerManagement Center can then import records of scans, malware detections, and quarantines, as well asindications of compromise (IOC).

Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hosts asthose monitored by AMP for Networks. For this reason, endpoint-based malware events do not add hosts tothe network map. However, the system uses IP and MAC address data to tag monitored hosts with indicationsof compromise obtained from your AMP for Endpoints deployment. If two different hosts monitored bydifferent AMP solutions have the same IP and MAC address, the system can incorrectly tag monitored hostswith AMP for Endpoints IOCs.

Use the AMP Management page (AMP > AMPManagement) to manage connections to the AMP cloud.By default, a connection to the United States (US) AMP public cloud is configured and enabled for AMP forNetworks. You cannot delete or disable an AMP for Networks cloud connection, but you can switch betweenthe EuropeanUnion (EU) andUnited States (US) AMP clouds, or configure a private cloud (AMPv) connection.

To add a separate FireAMP connection for endpoints, you must have an account in the FireAMP portal. AnAMP for Endpoints connection that has not registered successfully to the portal does not disable AMP forNetworks.

Requirements for AMP Cloud Connections

• AMP for networks - The system uses port 443 to performmalware cloud lookups for AMP for networks,whether you use a public or private AMP cloud. You must open that port outbound for communicationsfrom the Firepower Management Center.

• AMP for endpoints - The system uses port 443/HTTPS to connect to the Cisco cloud (public or private)to receive endpoint-based malware events. You must open that port, both inbound and outbound, forcommunications with the Firepower Management Center. Additionally, the Firepower ManagementCenter must have direct access to the Internet. The default health policy includes the AMP StatusMonitor,which warns you if the Firepower Management Center cannot connect to the cloud after an initialsuccessful connection, or if the connection is deregistered using the AMP portal.

To use the legacy port for AMP communications, see Collective Security Intelligence CommunicationsConfiguration Options, on page 26.

AMP Cloud Connections and Multitenancy

In a multidomain deployment, you configure the AMP for Networks connection at the Global level only. EachFirepower Management Center can have only one AMP for Networks connection. You can configure AMPfor Endpoints connections at any domain level, provided you use a separate AMP for Endpoints account foreach connection. For example, each client of an MSSP might have its own AMP for Endpoints deployment.


File Policies and Advanced Malware ProtectionAMP Cloud Connections

Cisco strongly recommends you configure AMP for Endpoints connections at the leaf level only, especiallyif your leaf domains have overlapping IP space. If multiple subdomains have hosts with the same IP-MACaddress pair, the system could save endpoint-based malware events to the wrong leaf domain, or associateIOCs with the wrong hosts.

Caution

Configuring an AMP for Endpoints Cloud Connection


AdminAnyAnyAnyAny

If your organization has deployed AMP for Endpoints, you can import threat identifications, indications ofcompromise (IOC), and other malware-related information from the AMP cloud to the system. You mustconfigure an AMP for Endpoints connection even if you already have a AMP for Networks connectionconfigured.

In a multidomain deployment, Cisco strongly recommends you configure AMP for Endpoints connectionsat the leaf level only, especially if your leaf domains have overlapping IP space. If multiple subdomainshave hosts with the same IP-MAC address pair, the system could save endpoint-based malware events tothe wrong leaf domain, or associate IOCs with the wrong hosts.

Caution

Before You Begin

• If you are connecting to the AMP cloud after either restoring your Firepower Management Center tofactory defaults or reverting to a previous version, use the AMP for Endpoints management console toremove the previous connection.

Procedure

Step 1 Choose AMP > AMPManagement.Step 2 Click Create AMP Cloud Connection.Step 3 From the Cloud Name drop-down list, choose the cloud you want to use:

• For the European Union AMP cloud, choose EU Cloud.

• For the United States AMP cloud, choose US Cloud.

• For AMPv, choose Private Cloud and proceed as described in Cisco AMP Private Clouds, on page21.

Step 4 Check the Use for AMP for Firepower check box if you want to use this cloud for AMP for Networks andAMP for Endpoints.In a multidomain deployment, this check box appears only in the Global domain. Each FirepowerManagementCenter can have only one AMP for Networks connection.



Step 5 Click Register.A spinning state icon indicates that a connection is pending, for example, after you configure a connectionon the Firepower Management Center, but before you authorize it using the AMP for Endpoints management

console. A failed or denied icon ( ) indicates that the cloud denied the connection or the connection failedfor another reason.

Step 6 Confirm that you want to continue to the AMP for Endpoints management console, then log into themanagement console.

Step 7 Using the management console, authorize the AMP cloud to send AMP for Endpoints data to the FirepowerManagement Center.

Step 8 If you want to restrict the data you receive, select specific groups within your organization for which youwant to receive information.By default, the AMP cloud sends data for all groups. To manage groups, chooseManagement > Groups onthe AMP for Endpoints management console. For detailed information, see the management console onlinehelp.

Step 9 Click Allow to enable the connection and start the transfer of data.Clicking Deny returns you to the Firepower Management Center, where the connection is marked as denied.If you navigate away from the Applications page on the AMP for Endpoints management console, and neitherdeny nor allow the connection, the connection is marked as pending on the Firepower Management Center’sweb interface. The health monitor does not alert you of a failed connection in either of these situations. If youwant to connect to the AMP cloud later, delete the failed or pending connection, then recreate it.

Incomplete registration of anAMP for Endpoints connection does not disable theAMP for Networks connection.

Cisco AMP Private CloudsYou can configure a Cisco AMP Private Cloud Virtual Appliance (AMPv) to collect AMP endpoint data onyour network. AMPv is a proprietary Cisco virtual machine that acts as a compressed, on-premises versionof the AMP cloud.

All AMP for Endpoints connectors send data to AMPv, which forwards that data to the FirepowerManagementCenter. AMPv does not share any of your endpoint data over an external connection. The FirepowerManagement Center connects to the public AMP cloud for disposition queries for files detected in networktraffic and receipt of retrospective malware events.

Each private cloud can support as many as 10,000 AMP for Endpoints connectors, and you can configuremultiple private clouds.

Use the AMP Management page (AMP > AMPManagement) on the Firepower Management Center tomanage connections to AMPv.

Dynamic analysis, a component of AMP for Networks, requires that managed devices have direct orproxied access to the AMP Threat Grid cloud or an on-premises AMP Threat Grid appliance on port 443.AMPv does not support dynamic analysis, nor does AMPv support anonymized retrieval of threatintelligence for other features that rely on Cisco Collective Security Intelligence (CSI), such as URL andSecurity Intelligence filtering.

Note



Connecting to AMPv


AdminAnyAnyMalware (AMP forNetworks)

Any (AMP forEndpoints)



Before You Begin

• Configure your Cisco AMP private cloud or clouds according to the directions in the AMPvdocumentation. During configuration, note the private cloud host name. You will need this host namelater to configure the connection on the Firepower Management Center.

• Make sure the Firepower Management Center can communicate with AMPv, and confirm that AMPvhas internet access so it can communicate with the AMP cloud.

Procedure

Step 1 Choose AMP > AMPManagement.Step 2 Click Create AMP Cloud Connection.Step 3 From the Cloud Name drop-down list, choose Private Cloud.Step 4 Enter a Name.

This information appears in malware events that are generated or transmitted by AMPv.

Step 5 In the Host field, enter the private cloud host name that you configured when you set up AMPv.Step 6 Click Browse next to the Certificate Upload Path field to browse to the location of a valid TLS or SSL

encryption certificate for AMPv. For more information, see the AMPv documentation.Step 7 Check theUse for AMP for Firepower check box if you want to use this private cloud for AMP for Networks

and AMP for Endpoints.If you configured a different private cloud to handle AMP for Networks communications, you can clear thischeck box; if this is your only AMPv connection, you cannot.

In a multidomain deployment, this check box appears only in the Global domain. Each FirepowerManagementCenter can have only one AMP for Networks connection.

Step 8 To communicate with AMPv using a proxy, check the Use Proxy for Connection check box.Step 9 Click Register, confirm that you want to disable existing direct connections to the AMP cloud, and finally

confirm that you want to continue to the AMPv management console to complete registration.Step 10 Log into the management console and complete the registration process. For further instructions, see the

AMPv documentation.



Managing AMP Cloud and AMPv Connections


AdminAnyAnyMalware (AMP forNetworks)




Use the Firepower Management Center to delete an AMP cloud or AMPv connection if you no longer wantto receive malware-related information from the cloud. Note that deregistering a connection using the AMPfor Endpoints or AMPv management console does not remove the connection from the system. Deregisteredconnections display a failed state on the Firepower Management Center web interface.

You can also temporarily disable a connection. When you reenable a cloud connection, the cloud resumessending data to the system, including queued data from the disabled period.

For disabled connections, the AMP cloud and AMPv can store malware events, indications of compromise,and so on until you re-enable the connection. In rare cases—for example, with a very high event rate ora long-term disabled connection—the cloud may not be able to store all information generated while theconnection is disabled.

Caution

In a multidomain deployment, the system displays connections created in the current domain, which you canmanage. It also displays connections created in ancestor domains, which you cannot manage. To manageconnections in a lower domain, switch to that domain. Each Firepower Management Center can have onlyone AMP for Networks connection, which belongs to the Global domain.

Procedure

Step 1 Select AMP > AMPManagement.Step 2 Manage your AMP cloud connections:

• Delete— Click the delete icon ( ), then confirm your choice.

• Enable or Disable— Click the slider, then confirm your choice.

Dynamic Analysis ConnectionsTheAMPThreat Grid cloud runs files in a sandbox environment. AMP for Networks uses the cloud to retrievethreat scores and dynamic analysis reports for dynamic analysis-submitted files. With the appropriate license,the system automatically has access to the cloud.


File Policies and Advanced Malware ProtectionDynamic Analysis Connections

If your organization's security policy does not allow the Firepower System to send files outside of yournetwork, you can configure an on-premises AMP Threat Grid appliance. See the Cisco AMP Threat GridAppliance Setup and Configuration Guide for more information.

Use the Dynamic Analysis Connections page (AMP > Dynamic Analysis Connections) on the FirepowerManagement Center to manage public dynamic analysis connections to the AMP Threat Grid cloud and aprivate dynamic analysis connection to an on-premises AMP Threat Grid appliance.

Viewing the Default Dynamic Analysis Connection


Admin/AccessAdmin/NetworkAdmin

Global onlyAnyMalwareMalware

By default, the Firepower Management Center can connect to the public AMP Threat Grid cloud for filesubmission and report retrieval. You can neither configure nor delete this connection.

Procedure

Step 1 Choose AMP > Dynamic Analysis Connections.Step 2 Click the edit icon ( ).

Threat Grid On-Premises ApplianceIf your organization has privacy or security concerns with submitting files to the public AMP Threat Gridcloud, you can deploy an on-premises AMP Threat Grid appliance. Like the public cloud, the on-premisesappliance runs eligible files in a sandbox environment, and returns a threat score and dynamic analysis reportto the Firepower System. However, the on-premises appliance does not communicate with the public cloud,or any other system external to your network.

You can connect one on-premises AMP Threat Grid appliance to the Firepower Management Center. See theCisco AMP Threat Grid Appliance Setup and Configuration Guide for more information.

If you configure a dynamic analysis connection to an on-premises appliance, the system uses the public AMPcloud to performmalware cloud lookups, and verify that files have not been previously submitted for dynamicanalysis.

The system also uses the default public dynamic analysis connection to the AMP cloud for public reportretrieval. If your on-premises appliance did not generate a dynamic analysis report for the file, the systemqueries the public AMP cloud for the dynamic analysis report. Unless your organization submits a file, youcan only view a scrubbed report containing limited data.



Configuring an On-Premises Dynamic Analysis Connection


Admin/AccessAdmin/NetworkAdmin

Global onlyAnyMalwareMalware

If you install an on-premises AMP Threat Grid appliance on your network, you can configure a dynamicanalysis connection to submit files and retrieve reports from the appliance.When configuring the on-premisesappliance dynamic analysis connection, you register the Firepower Management Center to the on-premisesappliance.

Before You Begin

• Set up an on-premises AMP Threat Grid appliance; see the Cisco AMP Threat Grid Appliance Setupand Configuration Guide.

• Download the public key certificate from the AMP Threat Grid appliance to use for logins to theon-premises appliance; see the Cisco AMP Threat Grid Appliance Administrator's Guide.

• Configure a proxy if you want to connect to the on-premises appliance using a proxy; see ConfigureFirepower Management Center Management Interfaces.

Procedure

Step 1 Choose AMP > Dynamic Analysis Connections.Step 2 Click Add New Connection.Step 3 Enter a Name.Step 4 Enter a Host URL.Step 5 Next to Certificate Upload, click Browse to upload the public key certificate you want to use to establish

connections with the on-premises appliance.Step 6 If you want to use a configured proxy to establish the connection, select Use Proxy When Available.Step 7 Click Register.Step 8 Click Yes to display the on-premises AMP Threat Grid appliance login page.Step 9 Enter your username and password to the on-premises AMP Threat Grid appliance.Step 10 Click Sign in.Step 11 You have the following options:

• If you previously registered the Firepower Management Center to the on-premises appliance, clickReturn.

• If you did not register the Firepower Management Center, click Activate.



Management_Center_System_Configuration.pdf#unique_651

Management_Center_System_Configuration.pdf#unique_651

Collective Security Intelligence Communications ConfigurationThe Firepower System uses Cisco’s Collective Security Intelligence (CSI) for reputation, risk, and threatintelligence. With the correct licenses, you can specify communications options for the URL Filtering andAMP for Networks features.

URL Filtering and Cisco CSIURL filtering based on category and reputation requires a data set provided by Cisco Collective SecurityIntelligence Communications (Cisco CSI.)

Generally, by default, when a valid URL Filtering license is applied to an active device, the URL categoryand reputation data set is downloaded from the Cisco CSI cloud to the Firepower Management Center andpushed to devices. This locally stored data set is updated periodically.

When a user on the network accesses a URL that is addressed by a policy, the system looks for a match inthe local (downloaded) data set. If there is no match, the system checks a cache of results previously lookedup in the Cisco CSI cloud. If there is still no match, the system looks up the URL in the Cisco CSI cloud andadds the result to the cache.

See also Additional Information on URL Filtering with Category and Reputation.

Collective Security Intelligence Communications Configuration Options

URL Filtering Options

Enable URL Filtering

Allows traffic filtering based on a website’s general classification, or category, and risk level, or reputation.Adding a URL Filtering license automatically enablesEnable URL Filtering. URL filtering must be enabledbefore you can choose other URL filtering options.

When you enable URL filtering, depending on how long since URL filtering was last enabled, or if this is thefirst time you are enabling URL filtering, the Firepower Management Center retrieves URL data from CiscoCSI.

Enable Automatic Updates

Allows the Firepower Management Center to update your deployment’s URL data automatically. AlthoughURL data typically updates once per day, enabling automatic updates forces the Firepower ManagementCenter to check every 30 minutes. Although daily updates tend to be small, if it has been more than five dayssince your last update, new URL data may take up to 20 minutes to download, depending on your bandwidth.Then, it may take up to 30 minutes to perform the update itself.

This option is enabled by default when you add a URL filtering license.

If you need strict control of when the system contacts external resources, disable automatic updates and usethe scheduler instead. See Automating URL Filtering Updates.


File Policies and Advanced Malware ProtectionCollective Security Intelligence Communications Configuration


Scheduling_Tasks.pdf#unique_218

Cisco recommends that you either enable automatic updates or use the scheduler to schedule updates.Although you canmanually perform on-demand updates by clickingUpdate Now, automating the processensures the most up-to-date, relevant data. You cannot start an on-demand update if an update is alreadyin progress.

Note

Query Cisco CSI for Unknown URLs

Allows the system to submit URLs for threat intelligence evaluation when users browse to a website whosecategory and reputation are not in the local dataset. Disable this option if you do not want to submit youruncategorized URLs, for example, for privacy reasons.

Connections to uncategorized URLs do not match rules with category or reputation-based URL conditions.You cannot assign categories or reputations to URLs manually.

AMP for Networks Options

Enable Automatic Local Malware Detection Updates

The local malware detection engine statically analyzes and preclassifies files using signatures provided byCisco. If you enable this option, the Firepower Management Center checks for signature updates once every30 minutes.

Share URI from Malware Events with Cisco

The system can send information about the files detected in network traffic to the AMP cloud. This informationincludes URI information associated with detected files and their SHA-256 hash values. Although sharing isopt-in, transmitting this information to Cisco helps future efforts to identify and track malware.

Use Legacy Port 32137 for AMP for Networks

By default, AMP for Networks uses port 443/HTTPS to communicate with the AMP cloud (or AMPv). Thisoption allows AMP for Networks to use port 32137. If you updated from a previous version of the system,this option may be enabled.

Related Topics

Communication Ports Requirements

Configuring Communications with Collective Security IntelligenceAccessSupported DomainsSupported DevicesClassic LicenseSmart License

AdminAnyAnyURLFiltering (URLfiltering)


URLFiltering (URLfiltering)



File Policies and Advanced Malware ProtectionConfiguring Communications with Collective Security Intelligence

Security__Internet_Access__and_Communication_Ports.pdf#unique_654

Before You Begin

If you will use category and reputation-based URL filtering on an NGIPSv device, see the Firepower SystemVirtual Installation Guide for information on allocating the correct amount of memory.

Procedure

Step 1 Choose System > Integration.Step 2 Click the Cisco CSI tab.Step 3 Configure Cisco CSI communications as described in Collective Security Intelligence Communications

Configuration Options, on page 26.Step 4 Click Save.


File Policies and Advanced Malware ProtectionConfiguring Communications with Collective Security Intelligence

File Policies and Advanced Malware Protection - cisco.com · File Policies and Advanced Malware...

Documents

Transcript of File Policies and Advanced Malware Protection - cisco.com · File Policies and Advanced Malware...