- Getting Started With Firepower
-
- Getting Started with Access Control Policies
- Access Control Rules
- Access Control Using Intrusion and File Policies
- HTTP Response Pages and Interactive Blocking
- Security Intelligence Blacklisting
- DNS Policies
- Prefiltering and Prefilter Policies
- Intelligent Application Bypass
- Access Control Using Content Restriction
-
- An Overview of Network Analysis and Intrusion Policies
- Layers in Intrusion and Network Analysis Policies
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Tailoring Intrusion Protection to Your Network Assets
- Sensitive Data Detection
- Globally Limiting Intrusion Event Logging
- The Intrusion Rules Editor
- Intrusion Prevention Performance Tuning
- Security, Internet Access, and Communication Ports
- Classic Device Command Line Reference
Firepower Management Center Configuration Guide, Version 6.2.1
- Updated:
- April 25, 2018
Chapter: File Policies and Advanced Malware Protection
File Policies and Advanced Malware Protection
The following topics provide an overview of file control, file policies, file rules, AMP cloud connections, and dynamic analysis connections.
- About File Policies and Advanced Malware Protection
- File Control and Cisco AMP Basics
- File Policies
- File Rules
- Cloud Connections
- Collective Security Intelligence Communications Configuration
About File Policies and Advanced Malware Protection
Malicious software, or malware, can enter your organization’s network via multiple routes. To help you identify and mitigate the effects of malware, Advanced Malware Protection (AMP for Networks, formerly called AMP for Firepower) can detect, track, store, analyze, and optionally block the transmission of malware in network traffic.
You configure AMP for Networks and file control (which allows control over all files of a specific type regardless of whether the files contain malware) as part of your overall access control configuration. File policies that you create and associate with access control rules handle network traffic that matches the rules. You can download files detected in that traffic and run local malware analysis to determine whether the files contain malware. You can also submit files to the AMP Threat Grid cloud for dynamic analysis to determine whether the files represent malware.
The system automatically enables file event, malware event, and captured file logging for active file policies. When a file policy generates a file or malware event, or captures a file, the system also automatically logs the end of the associated connection to the Firepower Management Center database.
To further target your analysis, you can use a malware file’s network file trajectory page to track the spread of an individual threat across hosts over time, allowing you to concentrate outbreak control and prevention efforts where most useful.
 Tip | If your organization uses AMP for Endpoints, the system can import and display endpoint-based data alongside any data gathered by AMP for Networks. Importing this data does not require a license. |
If your organization requires additional security or wants to limit outside connections, you can use a Cisco AMP Private Cloud Virtual Appliance (AMPv). AMPv privately collects AMP for Endpoints events and forwards them to the Firepower Management Center.
File Control and Cisco AMP Basics
- AMP for Networks
- File Control without AMP for Networks
- AMP for Endpoints
- AMP for Networks vs. AMP for Endpoints
AMP for Networks
AMP for Networks allows you to detect, store, track, analyze, and block malware on your network using managed devices deployed inline. AMP for Networks can block many types of malware files, including PDFs and Microsoft Office documents.
File Detection and Storage
With AMP for Networks, managed devices monitor network traffic for transmissions of certain file types.
When a device detects an eligible file, it sends the file's SHA-256 hash value to the Firepower Management Center. The Firepower Management Center performs a malware cloud lookup, querying the AMP cloud for the file's disposition. The device can also store an eligible file to its hard drive or malware storage pack using the file storage feature. You can view captured file information in the event viewer, and download a copy for offline analysis.
File Analysis
The system applies several methods of file inspection and analysis to determine whether a file contains malware.
 Note | Based on your configuration, you can either inspect a file the first time the system detects it, and wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result. |
Based on whether you enable the option in a file rule, the system inspects files in the following order:
- Spero Analysis
-
If the file is an eligible executable file, the device can analyze the file's structure and submit the resulting Spero signature to the AMP Threat Grid cloud. The cloud uses this signature to determine if the file contains malware.
- Local Malware Analysis
-
Using a local malware inspection engine, the device examines an eligible file, blocks it if the file contains malware and the file rule is configured to do so, and generates malware events.
The device also generates a file composition report detailing a file's properties, embedded objects, and possible malware.
- Dynamic Analysis
-
If the device preclassifies files as possible malware, it submits these files to the AMP Threat Grid cloud or an AMP Threat Grid on-premises appliance for dynamic analysis, regardless of whether the device stores the file.
The AMP Threat Grid cloud or on-premises AMP Threat Grid appliance runs the file in a sandbox environment to determine whether the file is malicious, and returns a threat score that describes the likelihood a file contains malware. From the threat score, you can view a dynamic analysis summary report that details why the cloud assigned the threat score.
File and Malware Events and Captured Files
Based on the file analysis results, you can review captured files and generated malware and file events from the event viewer. When available, you can examine a file's composition, disposition, threat score, and dynamic analysis summary report for further insight into the malware analysis. You can also access the network file trajectory, which displays a map of how the file traversed your network, passing among hosts, as well as various file properties.
Archive Files
The system can inspect up to three levels of nested files beneath the outermost archive file (level 0) if the file is an archive (such as .zip or .rar archive files). You can inspect archive files as large as the Maximum file size to store advanced access control setting.
If any individual file matches a file rule with a block action, the system blocks the entire archive, not just the individual file. The system can also block archives that exceed a specified level of nesting, or whose contents are encrypted or otherwise cannot be inspected.
File Tracking
If a file has a disposition in the AMP cloud that you know to be incorrect, you can add the file’s SHA-256 value to a file list:
-
To treat a file as if the AMP cloud assigned a clean disposition, add the file to the clean list.
-
To treat a file as if the AMP cloud assigned a malware disposition, add the file to the custom detection list.
On subsequent detection, the device either allows or blocks the file without reevaluating the file's disposition. You can use the clean list or custom detection list per file policy.
Note | You must configure a rule in the file policy to either perform a malware cloud lookup or block malware on matching files to calculate a file's SHA-256 value. |
Malware Dispositions
The system determines file dispositions based on the disposition returned by the AMP cloud. To improve performance, if the system already knows the disposition for a file based on its SHA-256 value, the Firepower Management Center uses the cached disposition rather than querying the AMP cloud. Based on its disposition, the system can block the file. If any nested file inside an archive file is blocked, the system blocks the entire archive file.
A file can have one of the following file dispositions as a result of addition to a file list, or due to threat score:
-
Malware indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy.
-
Clean indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list.
-
Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file.
-
Custom Detection indicates that a user added the file to the custom detection list.
-
Unavailable indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior.
Archive files have dispositions based on the dispositions assigned to the files inside the archive. All archives that contain identified malware files receive a disposition of Malware. Archives without identified malware files receive a disposition of Unknown if they contain any unknown files, and a disposition of Clean if they contain only clean files.
Archive files, like other files, may have dispositions of Custom Detection or Unavailable if the conditions for those dispositions apply.
Tip | If you see several Unavailable malware events in quick succession, make sure the Firepower Management Center can contact the AMP cloud. |
Note that file dispositions can change. For example, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean. When the disposition changes for a file you queried in the last week, the AMP cloud notifies the system so it can automatically take action the next time it detects that file being transmitted. A changed disposition is called a retrospective disposition.
Dispositions returned from an AMP cloud query, associated threat scores, and dispositions assigned by local malware analysis, have a time-to-live (TTL) value. After a disposition has been held for the duration specified in the TTL value without update, the system purges the cached information. Dispositions and associated threat scores have the following TTL values:
If a query against the cache identifies a cached disposition that timed out, the system re-queries the AMP cloud for a new disposition.
File Control without AMP for Networks
If your organization wants to block not only the transmission of malware files, but all files of a specific type (regardless of whether the files contain malware), the file control feature allows you to cast a wider net. As with AMP for Networks, managed devices monitor network traffic for transmissions of specific file types, then either block or allow the file.
File control is supported for all file types where the system can detect malware, plus many additional file types. These file types are grouped into basic categories, including multimedia (swf, mp3), executables (exe, torrent), and PDFs. Note that file control, unlike AMP for Networks, does not require queries of the AMP cloud.
AMP for Endpoints
AMP for Endpoints is Cisco’s enterprise-class Advanced Malware Protection solution that discovers, understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks. The following diagram details the general flow of information using AMP for Endpoints.
If your organization uses AMP for Endpoints, individual users install lightweight connectors on endpoints: computers and mobile devices. Connectors can inspect files upon upload, download, execution, open, copy, move, and so on. These connectors communicate with the AMP cloud to determine if inspected files contain malware.
When a file is positively identified as malware, the AMP cloud sends the threat identification to the Firepower Management Center. The AMP cloud can also send other kinds of information to the Firepower Management Center, including data on scans, quarantines, blocked executions, and cloud recalls. The Firepower Management Center logs this information as malware events.
AMP for Endpoints can generate indications of compromise (IOC) when a host’s security may be compromised. The Firepower System can display this IOC information for its monitored hosts. Cisco occasionally develops new IOC types for endpoint-based malware events, which the system automatically downloads.
With AMP for Endpoints, you can not only configure Management Center-initiated remediations and alerts based on malware events, but you can also use the AMP for Endpoints management console help you mitigate the effect of malware. The management console provides a robust, flexible web interface where you control all aspects of your AMP for Endpoints deployment and manage all phases of an outbreak. You can:
-
configure custom malware detection policies and profiles for your entire organization, as well as perform flash and full scans on all your users’ files
-
perform malware analysis, including view heat maps, detailed file information, network file trajectory, and threat root causes
-
configure multiple aspects of outbreak control, including automatic quarantines, application blocking to stop non-quarantined executables from running, and exclusion lists
-
create custom protections, block execution of certain applications based on group policy, and create custom whitelists
Tip
For detailed information on AMP for Endpoints, see the AMP for Endpoints management console.
AMP for Networks vs. AMP for Endpoints
You can use the Firepower System to work with data from both AMP for Networks and AMP for Endpoints.
Because AMP for Endpoints malware detection is performed at the endpoint at download or execution time, while managed devices detect malware in network traffic, the information in the two types of malware events is different. For example, endpoint-based malware events contain information on file path, invoking client application, and so on, while malware detections in network traffic contain port, application protocol, and originating IP address information about the connection used to transmit the file.
As another example, for network-based malware events, user information represents the user most recently logged into the host where the malware was destined, as determined by network discovery. But AMP for Endpoints-reported users represent the user currently logged into the endpoint where the malware was detected.
Note | Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks. For this reason, endpoint-based malware events do not add hosts to the network map. However, the system uses IP and MAC address data to tag monitored hosts with indications of compromise obtained from your AMP for Endpoints deployment. If two different hosts monitored by different AMP solutions have the same IP and MAC address, the system can incorrectly tag monitored hosts with AMP for Endpoints IOCs. |
The following table summarizes the differences between the two strategies.
File Policies
A file policy is a set of configurations that the system uses to perform AMP for Networks and file control, as part of your overall access control configuration. This association ensures that before the system passes a file in traffic that matches an access control rule’s conditions, it first inspects the file. Consider the following diagram of a simple access control policy in an inline deployment.
The policy has two access control rules, both of which use the Allow action and are associated with file policies. The policy’s default action is also to allow traffic, but without file policy inspection. In this scenario, traffic is handled as follows:
-
Traffic that does not match Rule 1 is evaluated against Rule 2. Traffic that matches Rule 2 is inspected by File Policy B.
-
Traffic that does not match either rule is allowed; you cannot associate a file policy with the default action.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the conditions of the access control rule.
By associating different file policies with different access control rules, you have granular control over how you identify and block files transmitted on your network. Note, however, that you cannot use a file policy to inspect traffic handled by the access control default action.
File Policy Advanced Configuration
Advanced File Inspection Configuration Notes
In a file policy, you can configure advanced options to block files on the custom detection list, allow files on the clean list, and set a threshold threat score above which files are considered malware.
You can also configure your file policy to inspect the contents of archive files, allowing you to analyze and block archive files according to your organization’s needs. All features applicable to uncompressed files (such as dynamic analysis and file storage) are available for nested files inside archive files.
Archive File Inspection Notes
Some archive files contain additional archive files (and so on). The level at which a file is nested is its archive file depth. Note that the top-level archive file is not considered in the depth count; depth begins at 1 with the first nested file.
Although the system can only inspect up to 3 levels of nested archive files, you can configure your file policy to block archive files that exceed that depth (or a lower maximum depth that you specify). If you want to restrict nested archives further, you have the option to configure a lower maximum file depth of 2 or 1.
If you choose not to block files that exceed the maximum archive file depth of 3, when archive files that contain some extractable contents and some contents nested at a depth of 3 or greater appear in monitored traffic, the system examines and reports data only for the files it was able to inspect.
Note | If traffic that contains an archive file is blacklisted or whitelisted by Security Intelligence, or if the top-level archive file’s SHA-256 value is on the custom detection list, the system does not inspect the contents of the archive file. If a nested file is blacklisted, the entire archive is blocked; however, if a nested file is whitelisted, the archive is not automatically passed (depending on any other nested files and characteristics). |
If your file policy is configured to inspect archive file contents, you can use the event viewer context menu and the network file trajectory viewer to view information about the files inside an archive when the archive file appears in a file event, malware event, or as a captured file.
All file contents of the archive are listed in table form, with a short summary of their relevant information: name, SHA-256 hash value, type, category, and archive depth. A network file trajectory icon appears by each file, which you can click to view further information about that specific file.
Note that you can only inspect archive files as large as the Maximum file size to store advanced access control setting.
File Policy Configuration Notes and Limitations
-
For a new policy, the web interface indicates that the policy is not in use. If you are editing an in-use file policy, the web interface tells you how many access control policies use the file policy. In either case, you can click the text to jump to the Access Control Policies page.
-
For an access control policy using a file policy with Block Malware rules for FTP, if you set the default action to an intrusion policy with Drop when Inline disabled, the system generates events for detected files or malware matching the rules, but does not drop the files. To block FTP file transfers and use an intrusion policy as the default action for the access control policy where you select the file policy, you must select an intrusion policy with Drop when Inline enabled.
Managing File Policies
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Threat (file control) Malware (AMP for Networks) |
Protection (file control) Malware (AMP for Networks) |
Any |
Any |
Admin/Access Admin |
The File Policies page displays a list of existing file policies along with their last-modified dates. You can use this page to manage your file policies.
In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain.
Note | The system checks the AMP cloud for updates to the list of file types eligible for dynamic analysis (no more than once a day). If the list of eligible file types changes, this constitutes a change in the file policy; any access control policy using the file policy is marked out-of-date if deployed to any devices. You must deploy policies before the updated file policy can take effect on the device. |
| Step 1 | Select . |
| Step 2 | Manage your file
policies:
|
).
),
then click
);
see
Creating a File Policy
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Threat (file control) Malware (AMP for Networks) |
Protection (file control) Malware (AMP for Networks) |
Any |
Any |
Admin/Access Admin |
| Step 1 | Select
.
| ||
| Step 2 | Click New File Policy. | ||
| Step 3 | Enter a Name and optional Description for your new policy. | ||
| Step 4 | Click Save. | ||
| Step 5 | Add one or more rules to the file policy as described in Creating File Rules. | ||
| Step 6 | Optionally, select the Advanced tab and configure advanced options as described in Advanced and Archive File Inspection Options. | ||
| Step 7 | Save the file policy. |
),
then type a unique name for the new policy in the dialog box that appears. You
can then modify the copy.
What to Do Next
-
Add the file policy to an access control rule as described in Access Control Rule Configuration to Perform File Control and Malware Protection.
-
Deploy configuration changes; see Deploy Configuration Changes.
Advanced and Archive File Inspection Options
The Advanced tab in the file policy editor has the following general options:
-
First Time File Analysis—Submit a file for file analysis that the system detects for the first time. The file must match a rule configured to perform a malware cloud lookup and Spero, local malware, or dynamic analysis. If you disable this option, files detected for the first time are marked with an Unknown disposition.
-
Enable Custom Detection List—Block files on the custom detection list.
-
Mark files as malware based on dynamic analysis threat score—Set a threshold threat score; files with scores equal or worse than the threshold are considered malware.
If you select lower threshold values, you increase the number of files treated as malware. Depending on the action selected in your file policy, this can result in an increase of blocked files.
The Advanced tab in the file policy editor has the following archive file inspection options:
-
Inspect Archives—Enables inspection of the contents of archive files, for archive files as large as the Maximum file size to store advanced access control setting.
Caution
For Classic devices only, enabling or disabling Inspect Archives restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information. -
Block Encrypted Archives—Blocks archive files that have encrypted contents.
-
Block Uninspectable Archives—Blocks archive files with contents that the system is unable to inspect for reasons other than encryption. This usually applies to corrupted files, or those that exceed your specified maximum archive depth.
-
Max Archive Depth—Blocks nested archive files that exceed the specified depth. The top-level archive file is not considered in this count; depth begins at 1 with the first nested file .
Editing a File Policy
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Threat (file control) Malware (AMP for Networks) |
Protection (file control) Malware (AMP for Networks) |
Any |
Any |
Admin/Access Admin |
| Step 1 | Select . |
| Step 2 | Click the edit
icon ( )
next to the file policy you want to edit.
If a view icon ( )
appears instead, the configuration belongs to an ancestor domain, or you do not
have permission to modify the configuration.
|
| Step 3 | You have the
following options:
|
What to Do Next
-
Deploy configuration changes; see Deploy Configuration Changes.
File Rules
A file policy, like its parent access control policy, contains rules that determine how the system handles files that match the conditions of each rule. You can configure separate file rules to take different actions for different file types, application protocols, or directions of transfer.
Once a file matches a rule, the rule can:
In addition, the file policy can:
-
automatically treat a file as if it is clean or malware based on entries in the clean list or custom detection list
-
treat a file as if it is malware if the file’s threat score exceeds a configurable threshold
-
inspect the contents of archive files (such as .zip or .rar)
-
block archive files whose contents are encrypted, nested beyond a specified maximum archive depth, or otherwise uninspectable
- File Rule Components
- File Rule Actions and Evaluation Order
- File Policy Notes and Limitations
- Creating File Rules
File Rule Components
File Rule Actions and Evaluation Order
To be effective, a file policy must contain one or more rules. File rules give you granular control over which file types you want to log, block, or scan for malware.
Each file rule has an associated action that determines how the system handles traffic that matches the conditions of the rule. You can set separate rules within a file policy to take different actions for different file types, application protocols, or directions of transfer. Simple blocking takes precedence over malware inspection and blocking, which takes precedence over simple detection and logging.
The file rule actions are as follows, in rule-action order:
-
Block Files rules allow you to block specific file types. You can configure options to reset the connection when a file transfer is blocked, and store captured files to the managed device.
-
Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats.
-
Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network, while still allowing their transmission.
-
Detect Files rules allow you to log the detection of specific file types to the database, while still allowing their transmission.
Caution | Enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analysis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information. |
Depending on the file rule action, you can configure options to reset the connection when a file transfer is blocked, store captured files to the managed device, locally analyze files for malware, submit captured files to the AMP cloud for dynamic and Spero analysis, and store files that cannot be currently submitted to the cloud for later submission.
|
File Rule Action Option |
Block Files capable? |
Block Malware capable? |
Detect Files capable? |
Malware Cloud Lookup capable? |
|---|---|---|---|---|
|
Spero Analysis for MSEXE |
no |
yes, you can submit executable files |
no |
yes, you can submit executable files |
|
Dynamic Analysis |
no |
yes, you can submit executable files with Unknown file dispositions |
no |
yes, you can submit executable files with Unknown file dispositions |
|
Capacity Handling |
no |
yes |
no |
yes |
|
Local Malware Analysis |
no |
yes |
no |
yes |
|
Reset Connection |
yes (recommended) |
yes (recommended) |
no |
no |
|
Store files |
yes, you can store all matching file types |
yes, you can store file types matching the file dispositions you select |
yes, you can store all matching file types |
yes, you can store file types matching the file dispositions you select |
File Policy Notes and Limitations
File Rule Configuration Notes and Limitations
-
A rule configured to block files in a passive deployment does not block matching files. Because the connection continues to transmit the file, if you configure the rule to log the beginning of the connection, you may see multiple events logged for this connection.
-
If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the Firepower Management Center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored.
-
Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.
-
If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured files for dynamic analysis. Doing so can negatively impact system performance.
-
You cannot perform malware analysis on all file types detected by the system. After you select values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the system constrains the list of file types.
File Detection Notes and Limitations
-
If adaptive profiling is not enabled, access control rules cannot perform file control, including AMP.
-
If a file matches a rule with an application protocol condition, file event generation occurs after the system successfully identifies a file’s application protocol. Unidentified files do not generate file events.
-
FTP transfers commands and data over different channels. In a passive or inline tap mode deployment, the traffic from an FTP data session and its control session may not be load-balanced to the same internal resource.
-
If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session exceeds 1024, file events from the session may not reflect the correct file names for files that were detected after the file name buffer filled.
-
When transmitting text-based files over SMTP, some mail clients convert newlines to the CRLF newline character standard. Since Mac-based hosts use the carriage return (CR) character and Unix/Linux-based hosts use the line feed (LF) character, newline conversion by the mail client can modify the size of the file. Note that some mail clients default to newline conversion when processing an unrecognizable file type.
File Blocking Notes and Limitations
-
If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be blocked by a Block Malware rule or the custom detection list. The system waits to block the file until the entire file has been received, as indicated by the end-of-file marker, and blocks the file after the marker is detected.
-
If the end-of-file marker for an FTP file transfer is transmitted separately from the final data segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but the file will actually completely transfer to disk.
-
File rules with Block Files and Block Malware actions block automatic resumption of file download via HTTP by blocking new sessions with the same file, URL, server, and client application detected for 24 hours after the initial file transfer attempt occurs.
-
In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble the traffic correctly and therefore will not block it or generate a file event.
-
If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with a Block Files rule, you may see a file on the destination host. However, the file is unusable because it is blocked after the download starts, resulting in an incomplete file transfer.
-
If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file transfer), the system does not inspect files transferred in an established TCP or SMB session started before you deploy an access control policy invoking the file policy so those files will not be detected or blocked.
-
If you configure Firepower Threat Defense high availability, and failover occurs while while the original active device is identifying the file, the file type is not synced. Even if your file policy blocks that file type, the new active device downloads the file.
Creating File Rules
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Threat (file control) Malware (AMP for Networks) |
Protection (file control) Malware (AMP for Networks) |
Any |
Any |
Admin/Access Admin |
Caution | Enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analyis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information. |
| Step 1 | In the file policy editor, click Add File Rule. | ||
| Step 2 | Select an Application Protocol and Direction of Transfer as described in File Rule Components. | ||
| Step 3 | Select one or more File Types.
The file types you see depend on the selected application protocol, direction of transfer, and action. You can filter the list of file types in the following ways:
| ||
| Step 4 | Select a file rule Action as described in File Rule Actions and Evaluation Order. | ||
| Step 5 | Depending on
the action you selected, configure whether you want to:
as described in File Rule Actions and Evaluation Order. | ||
| Step 6 | Click Add. | ||
| Step 7 | Click Save to save the policy. |
What to Do Next
-
Deploy configuration changes; see Deploy Configuration Changes.
Cloud Connections
The Firepower System provides connections to the following public cloud-based servers to help you perform Cisco Advanced Malware Protection (AMP):
-
AMP cloud—allows you to retrieve AMP for Networks malware dispositions and updates, and AMP for Endpoints scan records, malware detections, quarantines, and indications of compromise (IOC)
-
AMP Threat Grid cloud—allows you to submit eligible files for dynamic analysis, and retrieve threat scores and dynamic analysis reports
Depending on your organization's privacy or security needs, you can also deploy private cloud servers:
AMP Cloud Connections
The Advanced Malware Protection (AMP) cloud is a Cisco-hosted server that uses big data analytics and continuous analysis to help you detect and block malware on your network. Both Cisco AMP solutions use the AMP cloud:
-
AMP for Networks uses the AMP cloud to retrieve dispositions for possible malware detected in network traffic by managed devices, and obtain local malware analysis and file pre-classification updates.
-
AMP for Endpoints is Cisco’s enterprise-class AMP solution. Individual users install lightweight connectors on their computers and mobile devices that communicate with the AMP cloud. The Firepower Management Center can then import records of scans, malware detections, and quarantines, as well as indications of compromise (IOC).
Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks. For this reason, endpoint-based malware events do not add hosts to the network map. However, the system uses IP and MAC address data to tag monitored hosts with indications of compromise obtained from your AMP for Endpoints deployment. If two different hosts monitored by different AMP solutions have the same IP and MAC address, the system can incorrectly tag monitored hosts with AMP for Endpoints IOCs.
Use the AMP Management page () to manage connections to the AMP cloud. By default, a connection to the United States (US) AMP public cloud is configured and enabled for AMP for Networks. You cannot delete or disable an AMP for Networks cloud connection, but you can switch between the European Union (EU) and United States (US) AMP clouds, or configure a private cloud (AMPv) connection.
To add a separate FireAMP connection for endpoints, you must have an account in the FireAMP portal. An AMP for Endpoints connection that has not registered successfully to the portal does not disable AMP for Networks.
Requirements for AMP Cloud Connections
-
AMP for networks - The system uses port 443 to perform malware cloud lookups for AMP for networks, whether you use a public or private AMP cloud. You must open that port outbound for communications from the Firepower Management Center.
-
AMP for endpoints - The system uses port 443/HTTPS to connect to the Cisco cloud (public or private) to receive endpoint-based malware events. You must open that port, both inbound and outbound, for communications with the Firepower Management Center. Additionally, the Firepower Management Center must have direct access to the Internet. The default health policy includes the AMP Status Monitor, which warns you if the Firepower Management Center cannot connect to the cloud after an initial successful connection, or if the connection is deregistered using the AMP portal.
To use the legacy port for AMP communications, see Collective Security Intelligence Communications Configuration Options.
AMP and High Availability
Although they share file policies and related configurations, Firepower Management Centers in a high availability pair share neither cloud connections nor captured files, file events, and malware events. To ensure continuity of operations, and to ensure that detected files’ malware dispositions are the same on both Firepower Management Centers, both Active and Standby Firepower Management Centers must have access to the cloud.
In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.
These requirements apply to both public and private AMP clouds.
AMP Cloud Connections and Multitenancy
In a multidomain deployment, you configure the AMP for Networks connection at the Global level only. Each Firepower Management Center can have only one AMP for Networks connection. You can configure AMP for Endpoints connections at any domain level, provided you use a separate AMP for Endpoints account for each connection. For example, each client of an MSSP might have its own AMP for Endpoints deployment.
Caution | Cisco strongly recommends you configure AMP for Endpoints connections at the leaf level only, especially if your leaf domains have overlapping IP space. If multiple subdomains have hosts with the same IP-MAC address pair, the system could save endpoint-based malware events to the wrong leaf domain, or associate IOCs with the wrong hosts. |
- Configuring an AMP for Endpoints Cloud Connection
- Cisco AMP Private Clouds
- Managing AMP Cloud and AMPv Connections
Configuring an AMP for Endpoints Cloud Connection
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
If your organization has deployed AMP for Endpoints, you can import threat identifications, indications of compromise (IOC), and other malware-related information from the AMP cloud to the system. You must configure an AMP for Endpoints connection even if you already have a AMP for Networks connection configured.
Caution | In a multidomain deployment, Cisco strongly recommends you configure AMP for Endpoints connections at the leaf level only, especially if your leaf domains have overlapping IP space. If multiple subdomains have hosts with the same IP-MAC address pair, the system could save endpoint-based malware events to the wrong leaf domain, or associate IOCs with the wrong hosts. |
| Step 1 | Choose . |
| Step 2 | Click Create AMP Cloud Connection. |
| Step 3 | From the
Cloud Name drop-down list, choose the cloud you want
to use:
|
| Step 4 | Check the Use for AMP for Firepower check box if you want to use this cloud for AMP for Networks and AMP for Endpoints.
In a multidomain deployment, this check box appears only in the Global domain. Each Firepower Management Center can have only one AMP for Networks connection. |
| Step 5 | Click
Register.
A spinning state icon indicates that a connection is pending,
for example, after you configure a connection on the
Firepower Management
Center,
but before you authorize it using the AMP for Endpoints management console. A
failed or denied icon ( |
| Step 6 | Confirm that you want to continue to the AMP for Endpoints management console, then log into the management console. |
| Step 7 | Using the management console, authorize the AMP cloud to send AMP for Endpoints data to the Firepower Management Center. |
| Step 8 | If you want to restrict the data you receive, select specific
groups within your organization for which you want to receive information.
By default, the AMP cloud sends data for all groups. To manage groups, choose on the AMP for Endpoints management console. For detailed information, see the management console online help. |
| Step 9 | Click
Allow to enable the connection and start the
transfer of data.
Clicking Deny returns you to the Firepower Management Center, where the connection is marked as denied. If you navigate away from the Applications page on the AMP for Endpoints management console, and neither deny nor allow the connection, the connection is marked as pending on the Firepower Management Center’s web interface. The health monitor does not alert you of a failed connection in either of these situations. If you want to connect to the AMP cloud later, delete the failed or pending connection, then recreate it. Incomplete registration of an AMP for Endpoints connection does not disable the AMP for Networks connection. |
)
indicates that the cloud denied the connection or the connection failed for
another reason.
What to Do Next
In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.
Cisco AMP Private Clouds
You can configure a Cisco AMP Private Cloud Virtual Appliance (AMPv) to collect AMP endpoint data on your network. AMPv is a proprietary Cisco virtual machine that acts as a compressed, on-premises version of the AMP cloud.
All AMP for Endpoints connectors send data to AMPv, which forwards that data to the Firepower Management Center. AMPv does not share any of your endpoint data over an external connection. The Firepower Management Center connects to the public AMP cloud for disposition queries for files detected in network traffic and receipt of retrospective malware events.
Your organization may have privacy or security concerns that make frequent or direct connections between your monitored network and the AMP cloud difficult or impossible. In these situations, you can configure a Cisco AMP Private Cloud Virtual Appliance (AMPv). AMPv is a proprietary Cisco virtual machine that acts as a compressed, on-premises version of the AMP cloud, as well as a secure mediator between your network and the AMP cloud. Connecting a Firepower Management Center to AMPv disables existing direct connections to the AMP cloud.
All connections to the AMP cloud—whether for AMP for Networks or AMP for Endpoints—funnel through AMPv, which acts as an anonymized proxy to ensure the security and privacy of your monitored network. This includes disposition queries for files detected in network traffic, receiving of retrospective malware events, importing AMP for Endpoints data, and so on. AMPv does not share any of your endpoint data over an external connection.
Each private cloud can support as many as 10,000 AMP for Endpoints connectors, and you can configure multiple private clouds.
Use the AMP Management page () on the Firepower Management Center to manage connections to AMPv.
Note | Dynamic analysis, a component of AMP for Networks, requires that managed devices have direct or proxied access to the AMP Threat Grid cloud or an on-premises AMP Threat Grid appliance on port 443. AMPv does not support dynamic analysis, nor does AMPv support anonymized retrieval of threat intelligence for other features that rely on Cisco Collective Security Intelligence (CSI), such as URL and Security Intelligence filtering. |
Connecting to AMPv
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Malware (AMP for Networks) Any (AMP for Endpoints) |
Malware (AMP for Networks) Any (AMP for Endpoints) |
Any |
Any |
Admin |
-
Configure your Cisco AMP private cloud or clouds according to the directions in the AMPv documentation. During configuration, note the private cloud host name. You will need this host name later to configure the connection on the Firepower Management Center.
-
Make sure the Firepower Management Center can communicate with AMPv, and confirm that AMPv has internet access so it can communicate with the AMP cloud.
| Step 1 | Choose . |
| Step 2 | Click Create AMP Cloud Connection. |
| Step 3 | From the Cloud Name drop-down list, choose Private Cloud. |
| Step 4 | Enter a
Name.
This information appears in malware events that are generated or transmitted by AMPv. |
| Step 5 | In the Host field, enter the private cloud host name that you configured when you set up AMPv. |
| Step 6 | Click Browse next to the Certificate Upload Path field to browse to the location of a valid TLS or SSL encryption certificate for AMPv. For more information, see the AMPv documentation. |
| Step 7 | Check the Use for AMP for Firepower check box if you want to use this private cloud for AMP for Networks and AMP for Endpoints.
If you configured a different private cloud to handle AMP for Networks communications, you can clear this check box; if this is your only AMPv connection, you cannot. In a multidomain deployment, this check box appears only in the Global domain. Each Firepower Management Center can have only one AMP for Networks connection. |
| Step 8 | To communicate with AMPv using a proxy, check the Use Proxy for Connection check box. |
| Step 9 | Click Register, confirm that you want to disable existing direct connections to the AMP cloud, and finally confirm that you want to continue to the AMPv management console to complete registration. |
| Step 10 | Log into the management console and complete the registration process. For further instructions, see the AMPv documentation. |
What to Do Next
In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.
Managing AMP Cloud and AMPv Connections
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Malware (AMP for Networks) Any (AMP for Endpoints) |
Malware (AMP for Networks) Any (AMP for Endpoints) |
Any |
Any |
Admin |
Use the Firepower Management Center to delete an AMP cloud or AMPv connection if you no longer want to receive malware-related information from the cloud. Note that deregistering a connection using the AMP for Endpoints or AMPv management console does not remove the connection from the system. Deregistered connections display a failed state on the Firepower Management Center web interface.
You can also temporarily disable a connection. When you reenable a cloud connection, the cloud resumes sending data to the system, including queued data from the disabled period.
Caution | For disabled connections, the AMP cloud and AMPv can store malware events, indications of compromise, and so on until you re-enable the connection. In rare cases—for example, with a very high event rate or a long-term disabled connection—the cloud may not be able to store all information generated while the connection is disabled. |
In a multidomain deployment, the system displays connections created in the current domain, which you can manage. It also displays connections created in ancestor domains, which you cannot manage. To manage connections in a lower domain, switch to that domain. Each Firepower Management Center can have only one AMP for Networks connection, which belongs to the Global domain.
What to Do Next
In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.
Dynamic Analysis Connections
The AMP Threat Grid cloud runs files in a sandbox environment. AMP for Networks uses the cloud to retrieve threat scores and dynamic analysis reports for dynamic analysis-submitted files. With the appropriate license, the system automatically has access to the cloud.
If your organization's security policy does not allow the Firepower System to send files outside of your network, you can configure an on-premises AMP Threat Grid appliance. See the Cisco AMP Threat Grid Appliance Setup and Configuration Guide for more information.
Use the Dynamic Analysis Connections page () on the Firepower Management Center to manage public dynamic analysis connections to the AMP Threat Grid cloud and a private dynamic analysis connection to an on-premises AMP Threat Grid appliance.
Note | For information about the |
- Viewing the Default Dynamic Analysis Connection
- Enabling Access to Dynamic Analysis Results in the Public Cloud
- Threat Grid On-Premises Appliance
- Configuring an On-Premises Dynamic Analysis Connection
Viewing the Default Dynamic Analysis Connection
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Malware |
Malware |
Any |
Global only |
Admin/Access Admin/Network Admin |
By default, the Firepower Management Center can connect to the public AMP Threat Grid cloud for file submission and report retrieval. You can neither configure nor delete this connection.
).
Enabling Access to Dynamic Analysis Results in the Public Cloud
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Malware |
Malware |
Any |
Global only |
Admin/Access Admin/Network Admin |
Cisco AMP Threat Grid offers more detailed reporting on analyzed files than is available in the Firepower Management Center. If your organization has an account in the Cisco AMP Threat Grid public cloud, you can access the Cisco AMP Threat Grid portal directly to view additional details about files sent for analysis from your managed devices. However, for privacy reasons, file analysis details are available only to the organization that submitted the files. Therefore, before you can view this information, you must associate your Firepower Management Center with the files submitted by its managed devices.
You must have an account on the Cisco AMP Threat Grid public cloud, and have your account credentials ready.
| Step 1 | Select AMP > Dynamic Analysis Connections. | ||
| Step 2 | Click  in the table row corresponding to the Cisco AMP Threat Grid public cloud.
A Cisco AMP Threat Grid portal window opens. | ||
| Step 3 | Sign in to the Cisco AMP Threat Grid public cloud. | ||
| Step 4 | Click Submit Query.
If you have difficulties with this process, contact your Cisco AMP Threat Grid representative at Cisco TAC. It may take up to 24 hours for this change to take effect. |
What to Do Next
After the association is activated, see Viewing Dynamic Analysis Results in the Cisco AMP Threat Grid Public Cloud.
Threat Grid On-Premises Appliance
If your organization has privacy or security concerns with submitting files to the public AMP Threat Grid cloud, you can deploy an on-premises AMP Threat Grid appliance. Like the public cloud, the on-premises appliance runs eligible files in a sandbox environment, and returns a threat score and dynamic analysis report to the Firepower System. However, the on-premises appliance does not communicate with the public cloud, or any other system external to your network.
You can connect one on-premises AMP Threat Grid appliance to the Firepower Management Center. See the Cisco AMP Threat Grid Appliance Setup and Configuration Guide for more information.
If you configure a dynamic analysis connection to an on-premises appliance, the system uses the public AMP cloud to perform malware cloud lookups, and verify that files have not been previously submitted for dynamic analysis.
The system also uses the default public dynamic analysis connection to the AMP cloud for public report retrieval. If your on-premises appliance did not generate a dynamic analysis report for the file, the system queries the public AMP cloud for the dynamic analysis report. Unless your organization submits a file, you can only view a scrubbed report containing limited data.
Configuring an On-Premises Dynamic Analysis Connection
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
Malware |
Malware |
Any |
Global only |
Admin/Access Admin/Network Admin |
If you install an on-premises AMP Threat Grid appliance on your network, you can configure a dynamic analysis connection to submit files and retrieve reports from the appliance. When configuring the on-premises appliance dynamic analysis connection, you register the Firepower Management Center to the on-premises appliance.
-
Set up an on-premises AMP Threat Grid appliance; see the Cisco AMP Threat Grid Appliance Setup and Configuration Guide.
-
Download the public key certificate from the AMP Threat Grid appliance to use for logins to the on-premises appliance; see the Cisco AMP Threat Grid Appliance Administrator's Guide.
-
Configure a proxy if you want to connect to the on-premises appliance using a proxy; see Configure Firepower Management Center Management Interfaces.
| Step 1 | Choose . |
| Step 2 | Click Add New Connection. |
| Step 3 | Enter a Name. |
| Step 4 | Enter a Host URL. |
| Step 5 | Next to Certificate Upload, click Browse to upload the public key certificate you want to use to establish connections with the on-premises appliance. |
| Step 6 | If you want to use a configured proxy to establish the connection, select Use Proxy When Available. |
| Step 7 | Click Register. |
| Step 8 | Click Yes to display the on-premises AMP Threat Grid appliance login page. |
| Step 9 | Enter your username and password to the on-premises AMP Threat Grid appliance. |
| Step 10 | Click Sign in. |
| Step 11 | You have the following options: |
Collective Security Intelligence Communications Configuration
The Firepower System uses Cisco’s Collective Security Intelligence (CSI) for reputation, risk, and threat intelligence. With the correct licenses, you can specify communications options for the URL Filtering and AMP for Networks features.
- Collective Security Intelligence Communications Configuration Options
- Configuring Communications with Collective Security Intelligence
Collective Security Intelligence Communications Configuration Options
URL Filtering Options
Enable URL Filtering
Allows traffic filtering based on a website’s general classification, or category, and risk level, or reputation. Adding a URL Filtering license automatically enables Enable URL Filtering. URL filtering must be enabled before you can choose other URL filtering options.
When you enable URL filtering, depending on how long since URL filtering was last enabled, or if this is the first time you are enabling URL filtering, the Firepower Management Center retrieves URL data from Cisco CSI.
Enable Automatic Updates
Allows the Firepower Management Center to update your deployment’s URL data automatically. Although URL data typically updates once per day, enabling automatic updates forces the Firepower Management Center to check every 30 minutes. Although daily updates tend to be small, if it has been more than five days since your last update, new URL data may take up to 20 minutes to download, depending on your bandwidth. Then, it may take up to 30 minutes to perform the update itself.
This option is enabled by default when you add a URL filtering license.
If you need strict control of when the system contacts external resources, disable automatic updates and use the scheduler instead. See Automating URL Filtering Updates.
Note | Cisco recommends that you either enable automatic updates or use the scheduler to schedule updates. Although you can manually perform on-demand updates by clicking Update Now, automating the process ensures the most up-to-date, relevant data. You cannot start an on-demand update if an update is already in progress. |
Query Cisco CSI for Unknown URLs
Allows the system to submit URLs for threat intelligence evaluation when users browse to a website whose category and reputation are not in the local dataset. Disable this option if you do not want to submit your uncategorized URLs, for example, for privacy reasons.
Connections to uncategorized URLs do not match rules with category or reputation-based URL conditions. You cannot assign categories or reputations to URLs manually.
AMP for Networks Options
Enable Automatic Local Malware Detection Updates
The local malware detection engine statically analyzes and preclassifies files using signatures provided by Cisco. If you enable this option, the Firepower Management Center checks for signature updates once every 30 minutes.
Share URI from Malware Events with Cisco
The system can send information about the files detected in network traffic to the AMP cloud. This information includes URI information associated with detected files and their SHA-256 hash values. Although sharing is opt-in, transmitting this information to Cisco helps future efforts to identify and track malware.
Use Legacy Port 32137 for AMP for Networks
By default, AMP for Networks uses port 443/HTTPS to communicate with the AMP cloud (or AMPv). This option allows AMP for Networks to use port 32137. If you updated from a previous version of the system, this option may be enabled.
Configuring Communications with Collective Security Intelligence
|
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
|---|---|---|---|---|
|
URL Filtering (URL filtering) Malware (AMP for Networks) |
URL Filtering (URL filtering) Malware (AMP for Networks) |
Any |
Any |
Admin |
If you will use category and reputation-based URL filtering on an NGIPSv device, see the Firepower System Virtual Installation Guide for information on allocating the correct amount of memory.
| Step 1 | Choose . |
| Step 2 | Click the Cisco CSI tab. |
| Step 3 | Configure Cisco CSI communications as described in Collective Security Intelligence Communications Configuration Options. |
| Step 4 | Click Save. |
Feedback