Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Firepower Management Center Configuration Guide, Version 6.2.1

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Firepower Management Center Configuration Guide, Version 6.2.1

Chapter Title

File Policies and Advanced Malware Protection

Results

Updated:
September 10, 2018

Chapter: File Policies and Advanced Malware Protection

File Policies and Advanced Malware Protection

The following topics provide an overview of file control, file policies, file rules, AMP cloud connections, and dynamic analysis connections.

About File Policies and Advanced Malware Protection

Malicious software, or malware, can enter your organization’s network via multiple routes. To help you identify and mitigate the effects of malware, Advanced Malware Protection (AMP for Networks, formerly called AMP for Firepower) can detect, track, store, analyze, and optionally block the transmission of malware in network traffic.

You configure AMP for Networks and file control (which allows control over all files of a specific type regardless of whether the files contain malware) as part of your overall access control configuration. File policies that you create and associate with access control rules handle network traffic that matches the rules. You can download files detected in that traffic and run local malware analysis to determine whether the files contain malware. You can also submit files to the AMP Threat Grid cloud for dynamic analysis to determine whether the files represent malware.

The system automatically enables file event, malware event, and captured file logging for active file policies. When a file policy generates a file or malware event, or captures a file, the system also automatically logs the end of the associated connection to the Firepower Management Center database.


Note

File events generated by inspecting NetBIOS-ssn (SMB) traffic do not immediately generate connection events because the client and server establish a persistent connection. The system generates connection events after the client or server ends the session.

To further target your analysis, you can use a malware file’s network file trajectory page to track the spread of an individual threat across hosts over time, allowing you to concentrate outbreak control and prevention efforts where most useful.


Tip

If your organization uses AMP for Endpoints, the system can import and display endpoint-based data alongside any data gathered by AMP for Networks. Importing this data does not require a license.

If your organization requires additional security or wants to limit outside connections, you can use a Cisco AMP Private Cloud Virtual Appliance (AMPv). AMPv privately collects AMP for Endpoints events and forwards them to the Firepower Management Center.

File Control and Cisco AMP Basics

AMP for Networks

AMP for Networks allows you to detect, store, track, analyze, and block malware on your network using managed devices deployed inline. AMP for Networks can block many types of malware files, including PDFs and Microsoft Office documents.

File Detection and Storage

With AMP for Networks, managed devices monitor network traffic for transmissions of certain file types.

When a device detects an eligible file, it sends the file's SHA-256 hash value to the Firepower Management Center. The Firepower Management Center performs a malware cloud lookup, querying the AMP cloud for the file's disposition. The device can also store an eligible file to its hard drive or malware storage pack using the file storage feature. You can view captured file information under Analysis > files > Captured Files, and download a copy for offline analysis.

File Analysis

The system applies several methods of file inspection and analysis to determine whether a file contains malware.


Note
Based on your configuration, you can either inspect a file the first time the system detects it, and wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result.

Based on whether you enable the option in a file rule, the system inspects files in the following order:

Spero Analysis

If the file is an eligible executable file, the device can analyze the file's structure and submit the resulting Spero signature to the AMP Threat Grid cloud. The cloud uses this signature to determine if the file contains malware.

Local Malware Analysis

Using a local malware inspection engine, the device examines an eligible file, blocks it if the file contains malware and the file rule is configured to do so, and generates malware events.

The device also generates a file composition report detailing a file's properties, embedded objects, and possible malware.

Dynamic Analysis

If the device preclassifies files as possible malware, it submits these files to the AMP Threat Grid cloud or an AMP Threat Grid on-premises appliance for dynamic analysis, regardless of whether the device stores the file.

The AMP Threat Grid cloud or on-premises AMP Threat Grid appliance runs the file in a sandbox environment to determine whether the file is malicious, and returns a threat score that describes the likelihood a file contains malware. From the threat score, you can view a dynamic analysis summary report that details why the cloud assigned the threat score.

File and Malware Events and Captured Files

Based on the file analysis results, you can review captured files and generated malware and file events using tables on pages available under the Analysis > Files options. When available, you can examine a file's composition, disposition, threat score, and dynamic analysis summary report for further insight into the malware analysis. You can also access the network file trajectory, which displays a map of how the file traversed your network, passing among hosts, as well as various file properties.

Archive Files

The system can inspect up to three levels of nested files beneath the outermost archive file (level 0) if the file is an archive (such as .zip or .rar archive files). You can inspect archive files as large as the Maximum file size to store advanced access control setting.

If any individual file matches a file rule with a block action, the system blocks the entire archive, not just the individual file. The system can also block archives that exceed a specified level of nesting, or whose contents are encrypted or otherwise cannot be inspected.

File Tracking

If a file has a disposition in the AMP cloud that you know to be incorrect, you can add the file’s SHA-256 value to a file list:

  • To treat a file as if the AMP cloud assigned a clean disposition, add the file to the clean list.

  • To treat a file as if the AMP cloud assigned a malware disposition, add the file to the custom detection list.

On subsequent detection, the device either allows or blocks the file without reevaluating the file's disposition. You can use the clean list or custom detection list per file policy.


Note
You must configure a rule in the file policy to either perform a malware cloud lookup or block malware on matching files to calculate a file's SHA-256 value.

Malware Dispositions

The system determines file dispositions based on the disposition returned by the AMP cloud. To improve performance, if the system already knows the disposition for a file based on its SHA-256 value, the Firepower Management Center uses the cached disposition rather than querying the AMP cloud. Based on its disposition, the system can block the file. If any nested file inside an archive file is blocked, the system blocks the entire archive file.

A file can have one of the following file dispositions as a result of addition to a file list, or due to threat score:

  • Malware indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy.

  • Clean indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list.

  • Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file.

  • Custom Detection indicates that a user added the file to the custom detection list.

  • Unavailable indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior.

Archive files have dispositions based on the dispositions assigned to the files inside the archive. All archives that contain identified malware files receive a disposition of Malware. Archives without identified malware files receive a disposition of Unknown if they contain any unknown files, and a disposition of Clean if they contain only clean files.

Table 1. Archive File Disposition by Contents

Archive File Disposition

Number of Unknown Files

Number of Clean Files

Number of Malware Files

Unknown

1 or more

Any

0

Clean

0

1 or more

0

Malware

Any

Any

1 or more

Archive files, like other files, may have dispositions of Custom Detection or Unavailable if the conditions for those dispositions apply.


Tip

If you see several Unavailable malware events in quick succession, make sure the Firepower Management Center can contact the AMP cloud.

Note that file dispositions can change. For example, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean. When the disposition changes for a file you queried in the last week, the AMP cloud notifies the system so it can automatically take action the next time it detects that file being transmitted. A changed disposition is called a retrospective disposition.

Dispositions returned from an AMP cloud query, associated threat scores, and dispositions assigned by local malware analysis, have a time-to-live (TTL) value. After a disposition has been held for the duration specified in the TTL value without update, the system purges the cached information. Dispositions and associated threat scores have the following TTL values:

  • Clean — 4 hours

  • Unknown — 1 hour

  • Malware — 1 hour

If a query against the cache identifies a cached disposition that timed out, the system re-queries the AMP cloud for a new disposition.

File Control without AMP for Networks

If your organization wants to block not only the transmission of malware files, but all files of a specific type (regardless of whether the files contain malware), the file control feature allows you to cast a wider net. As with AMP for Networks, managed devices monitor network traffic for transmissions of specific file types, then either block or allow the file.

File control is supported for all file types where the system can detect malware, plus many additional file types. These file types are grouped into basic categories, including multimedia (swf, mp3), executables (exe, torrent), and PDFs. Note that file control, unlike AMP for Networks, does not require queries of the AMP cloud.

AMP for Endpoints

AMP for Endpoints is Cisco’s enterprise-class Advanced Malware Protection solution that discovers, understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks. The following diagram details the general flow of information using AMP for Endpoints.



If your organization uses AMP for Endpoints, individual users install lightweight connectors on endpoints: computers and mobile devices. Connectors can inspect files upon upload, download, execution, open, copy, move, and so on. These connectors communicate with the AMP cloud to determine if inspected files contain malware.

When a file is positively identified as malware, the AMP cloud sends the threat identification to the Firepower Management Center. The AMP cloud can also send other kinds of information to the Firepower Management Center, including data on scans, quarantines, blocked executions, and cloud recalls. The Firepower Management Center logs this information as malware events.

AMP for Endpoints can generate indications of compromise (IOC) when a host’s security may be compromised. The Firepower System can display this IOC information for its monitored hosts. Cisco occasionally develops new IOC types for endpoint-based malware events, which the system automatically downloads.

With AMP for Endpoints, you can not only configure FMC-initiated remediations and alerts based on malware events, but you can also use the AMP for Endpoints management console help you mitigate the effect of malware. The management console provides a robust, flexible web interface where you control all aspects of your AMP for Endpoints deployment and manage all phases of an outbreak. You can:

  • configure custom malware detection policies and profiles for your entire organization, as well as perform flash and full scans on all your users’ files

  • perform malware analysis, including view heat maps, detailed file information, network file trajectory, and threat root causes

  • configure multiple aspects of outbreak control, including automatic quarantines, application blocking to stop non-quarantined executables from running, and exclusion lists

  • create custom protections, block execution of certain applications based on group policy, and create custom whitelists


    Tip

    For detailed information on AMP for Endpoints, see the AMP for Endpoints management console.

To configure the integration with AMP for Endpoints and access the console, see:

AMP for Endpoints documentation is available from: http://docs.amp.cisco.com.

AMP for Networks vs. AMP for Endpoints

You can use the Firepower System to work with data from both AMP for Networks and AMP for Endpoints.

Because AMP for Endpoints malware detection is performed at the endpoint at download or execution time, while managed devices detect malware in network traffic, the information in the two types of malware events is different. For example, endpoint-based malware events contain information on file path, invoking client application, and so on, while malware detections in network traffic contain port, application protocol, and originating IP address information about the connection used to transmit the file.

As another example, for network-based malware events, user information represents the user most recently logged into the host where the malware was destined, as determined by network discovery. But AMP for Endpoints-reported users represent the user currently logged into the endpoint where the malware was detected.


Note

Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks. For this reason, endpoint-based malware events do not add hosts to the network map. However, the system uses IP and MAC address data to tag monitored hosts with indications of compromise obtained from your AMP for Endpoints deployment. If two different hosts monitored by different AMP solutions have the same IP and MAC address, the system can incorrectly tag monitored hosts with AMP for Endpoints IOCs.

The following table summarizes the differences between the two strategies.

Table 2. Network vs Endpoint-Based Advanced Malware Protection Strategies

Feature

AMP for Networks

AMP for Endpoints

file type detection and blocking method (file control)

in network traffic, using access control and file policies

not supported

malware detection and blocking method

in network traffic, using access control and file policies

on individual endpoints, using a connector that communicates with the AMP cloud

network traffic inspected

traffic passing through a managed device

none; connectors installed on endpoints directly inspect files

malware detection robustness

limited file types

all file types

malware analysis choices

FMC-based, plus analysis in the AMP cloud

FMC-based, plus additional options on the AMP for Endpoints management console

malware mitigation

malware blocking in network traffic, FMC-initiated remediations

AMP for Endpoints-based quarantine and outbreak control options, FMC-initiated remediations

events generated

file events, captured files, malware events, and retrospective malware events

malware events

information in malware events

basic malware event information, plus connection data (IP address, port, and application protocol)

in-depth malware event information; no connection data

network file trajectory

FMC-based

FMC-based, plus additional options on the AMP for Endpoints management console

required licenses or subscriptions

licenses required to perform file control and AMP for Networks

AMP for Endpoints subscription (not license-based)

File Policies

A file policy is a set of configurations that the system uses to perform AMP for Networks and file control, as part of your overall access control configuration. This association ensures that before the system passes a file in traffic that matches an access control rule’s conditions, it first inspects the file. Consider the following diagram of a simple access control policy in an inline deployment.

Diagram illustrating the flow of traffic in a simple access control policy that uses file policies.

The policy has two access control rules, both of which use the Allow action and are associated with file policies. The policy’s default action is also to allow traffic, but without file policy inspection. In this scenario, traffic is handled as follows:

  • Traffic that matches Rule 1 is inspected by File Policy A.

  • Traffic that does not match Rule 1 is evaluated against Rule 2. Traffic that matches Rule 2 is inspected by File Policy B.

  • Traffic that does not match either rule is allowed; you cannot associate a file policy with the default action.

You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the conditions of the access control rule.

By associating different file policies with different access control rules, you have granular control over how you identify and block files transmitted on your network. Note, however, that you cannot use a file policy to inspect traffic handled by the access control default action.

File Policy Advanced Configuration

Advanced File Inspection Configuration Notes

In a file policy, you can configure advanced options to block files on the custom detection list, allow files on the clean list, and set a threshold threat score above which files are considered malware.

You can also configure your file policy to inspect the contents of archive files, allowing you to analyze and block archive files according to your organization’s needs. All features applicable to uncompressed files (such as dynamic analysis and file storage) are available for nested files inside archive files.

Archive File Inspection Notes

Some archive files contain additional archive files (and so on). The level at which a file is nested is its archive file depth. Note that the top-level archive file is not considered in the depth count; depth begins at 1 with the first nested file.

Although the system can only inspect up to 3 levels of nested archive files, you can configure your file policy to block archive files that exceed that depth (or a lower maximum depth that you specify). If you want to restrict nested archives further, you have the option to configure a lower maximum file depth of 2 or 1.

If you choose not to block files that exceed the maximum archive file depth of 3, when archive files that contain some extractable contents and some contents nested at a depth of 3 or greater appear in monitored traffic, the system examines and reports data only for the files it was able to inspect.


Note
If traffic that contains an archive file is blacklisted or whitelisted by Security Intelligence, or if the top-level archive file’s SHA-256 value is on the custom detection list, the system does not inspect the contents of the archive file. If a nested file is blacklisted, the entire archive is blocked; however, if a nested file is whitelisted, the archive is not automatically passed (depending on any other nested files and characteristics).

If your file policy is configured to inspect archive file contents, you can use the context menu in a table on pages under the Analysis > Files menu, and the network file trajectory viewer to view information about the files inside an archive when the archive file appears in a file event, malware event, or as a captured file.

All file contents of the archive are listed in table form, with a short summary of their relevant information: name, SHA-256 hash value, type, category, and archive depth. A network file trajectory icon appears by each file, which you can click to view further information about that specific file.

Note that you can only inspect archive files as large as the Maximum file size to store advanced access control setting.

File Policy Configuration Notes and Limitations

  • For a new policy, the web interface indicates that the policy is not in use. If you are editing an in-use file policy, the web interface tells you how many access control policies use the file policy. In either case, you can click the text to jump to the Access Control Policies page.

  • For an access control policy using a file policy with Block Malware rules for FTP, if you set the default action to an intrusion policy with Drop when Inline disabled, the system generates events for detected files or malware matching the rules, but does not drop the files. To block FTP file transfers and use an intrusion policy as the default action for the access control policy where you select the file policy, you must select an intrusion policy with Drop when Inline enabled.

Managing File Policies

Smart License

Classic License

Supported Devices

Supported Domains

Access

Threat (file control)

Malware (AMP for Networks)

Protection (file control)

Malware (AMP for Networks)

Any

Any

Admin/Access Admin

The File Policies page displays a list of existing file policies along with their last-modified dates. You can use this page to manage your file policies.

In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain.


Note

The system checks the AMP cloud for updates to the list of file types eligible for dynamic analysis (no more than once a day). If the list of eligible file types changes, this constitutes a change in the file policy; any access control policy using the file policy is marked out-of-date if deployed to any devices. You must deploy policies before the updated file policy can take effect on the device.

Procedure

Step 1

Select Policies > Access Control > Malware & File .

Step 2

Manage your file policies:

  • Compare—Click Compare Policies; see Comparing Policies.

  • Create — To create a file policy, click New File Policy and proceed as described in Creating a File Policy.

  • Copy — To copy a file policy, click the copy icon ().

    If a view icon () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

  • Delete — If you want to delete a file policy, click the delete icon (), then click Yes and OK as prompted.

    If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

  • Deploy—Click Deploy; see Deploy Configuration Changes.

  • Edit — If you want to modify an existing file policy, click the edit icon ().

  • Report—Click the report icon (); see Generating Current Policy Reports.

Creating a File Policy

Smart License

Classic License

Supported Devices

Supported Domains

Access

Threat (file control)

Malware (AMP for Networks)

Protection (file control)

Malware (AMP for Networks)

Any

Any

Admin/Access Admin

Procedure
Step 1

Select Policies > Access Control > Malware & File .

Tip 

To make a copy of an existing file policy, click the copy icon (), then type a unique name for the new policy in the dialog box that appears. You can then modify the copy.

Step 2

Click New File Policy.

Step 3

Enter a Name and optional Description for your new policy.

Step 4

Click Save.

Step 5

Add one or more rules to the file policy as described in Creating File Rules.

Step 6

Optionally, select the Advanced tab and configure advanced options as described in Advanced and Archive File Inspection Options.

Step 7

Save the file policy.

What to do next
Advanced and Archive File Inspection Options

The Advanced tab in the file policy editor has the following general options:

  • First Time File Analysis—Submit a file for file analysis that the system detects for the first time. The file must match a rule configured to perform a malware cloud lookup and Spero, local malware, or dynamic analysis. If you disable this option, files detected for the first time are marked with an Unknown disposition.

  • Enable Custom Detection List—Block files on the custom detection list.

  • Enable Clean List—Allow files on the clean list.

  • Mark files as malware based on dynamic analysis threat score—Set a threshold threat score; files with scores equal or worse than the threshold are considered malware.

    If you select lower threshold values, you increase the number of files treated as malware. Depending on the action selected in your file policy, this can result in an increase of blocked files.

The Advanced tab in the file policy editor has the following archive file inspection options:

  • Inspect Archives—Enables inspection of the contents of archive files, for archive files as large as the Maximum file size to store advanced access control setting.


    Caution
    For Classic devices only, enabling or disabling Inspect Archives restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

  • Block Encrypted Archives—Blocks archive files that have encrypted contents.

  • Block Uninspectable Archives—Blocks archive files with contents that the system is unable to inspect for reasons other than encryption. This usually applies to corrupted files, or those that exceed your specified maximum archive depth.

  • Max Archive Depth—Blocks nested archive files that exceed the specified depth. The top-level archive file is not considered in this count; depth begins at 1 with the first nested file .

Editing a File Policy

Smart License

Classic License

Supported Devices

Supported Domains

Access

Threat (file control)

Malware (AMP for Networks)

Protection (file control)

Malware (AMP for Networks)

Any

Any

Admin/Access Admin

Procedure
Step 1

Select Policies > Access Control > Malware & File .

Step 2

Click the edit icon () next to the file policy you want to edit. If a view icon () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 3

You have the following options:

Note 

The file policy editor displays how many access control policies use the file policy you are currently editing. You can click the notification to display a list of the parent policies and, optionally, continue to the Access Control Policies page.

What to do next

File Rules

A file policy, like its parent access control policy, contains rules that determine how the system handles files that match the conditions of each rule. You can configure separate file rules to take different actions for different file types, application protocols, or directions of transfer.

Once a file matches a rule, the rule can:

  • allow or block files based on simple file type matching

  • block files based on disposition

  • store captured files to the device

  • submit captured files for local malware, Spero, or dynamic analysis

In addition, the file policy can:

  • automatically treat a file as if it is clean or malware based on entries in the clean list or custom detection list

  • treat a file as if it is malware if the file’s threat score exceeds a configurable threshold

  • inspect the contents of archive files (such as .zip or .rar)

  • block archive files whose contents are encrypted, nested beyond a specified maximum archive depth, or otherwise uninspectable

File Rule Components

Table 3. File Rule Components

File Rule Component

Description

application protocol

The system can detect and inspect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). Any, the default, detects files in HTTP, SMTP, IMAP, POP3, FTP, and NetBIOS-ssn (SMB) traffic. To improve performance, you can restrict file detection to only one of those application protocols on a per-file rule basis.

direction of transfer

You can inspect incoming FTP, HTTP, IMAP, POP3, and NetBIOS-ssn (SMB) traffic for downloaded files; you can inspect outgoing FTP, HTTP, SMTP, and NetBIOS-ssn (SMB) traffic for uploaded files.

Tip 

Use Any to detect files over multiple application protocols, regardless of whether users are sending or receiving.

file categories and types

The system can detect various types of files. These file types are grouped into basic categories, including multimedia (swf, mp3), executables (exe, torrent), and PDFs. You can configure file rules that detect individual file types, or on entire categories of file types.

For example, you could block all multimedia files, or just ShockWave Flash (swf) files. Or, you could configure the system to alert you when a user downloads a BitTorrent (torrent) file.

For a list of file types the system can inspect, select Policies > Access Control > Malware & File, create a temporary new file policy, then click Add Rule. Select a file type category and the file types that the system can inspect appear in the File Types list.

Note 

Frequently triggered file rules can affect system performance. For example, detecting multimedia files in HTTP traffic (YouTube, for example, transmits significant Flash content) could generate an overwhelming number of events.

file rule action

A file rule’s action determines how the system handles traffic that matches the conditions of the rule.

Depending on the selected action, you can configure whether the system stores the file or performs Spero, local malware, or dynamic analysis on a file. If you select a Block action, you can also configure whether the system also resets the blocked connection.

Note 

File rules are evaluated in rule-action, not numerical, order.

File Rule Actions and Evaluation Order

To be effective, a file policy must contain one or more rules. File rules give you granular control over which file types you want to log, block, or scan for malware.

Each file rule has an associated action that determines how the system handles traffic that matches the conditions of the rule. You can set separate rules within a file policy to take different actions for different file types, application protocols, or directions of transfer. Simple blocking takes precedence over malware inspection and blocking, which takes precedence over simple detection and logging.

The file rule actions are as follows, in rule-action order:

  • Block Files rules allow you to block specific file types. You can configure options to reset the connection when a file transfer is blocked, and store captured files to the managed device.

  • Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats.

  • Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network, while still allowing their transmission.

  • Detect Files rules allow you to log the detection of specific file types to the database, while still allowing their transmission.


Caution

Enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analysis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Depending on the file rule action, you can configure options to reset the connection when a file transfer is blocked, store captured files to the managed device, locally analyze files for malware, submit captured files to the AMP cloud for dynamic and Spero analysis, and store files that cannot be currently submitted to the cloud for later submission.

Table 4. File Rule Actions

File Rule Action Option

Block Files capable?

Block Malware capable?

Detect Files capable?

Malware Cloud Lookup capable?

Spero Analysis for MSEXE

no

yes, you can submit executable files

no

yes, you can submit executable files

Dynamic Analysis

no

yes, you can submit executable files with Unknown file dispositions

no

yes, you can submit executable files with Unknown file dispositions

Capacity Handling

no

yes

no

yes

Local Malware Analysis

no

yes

no

yes

Reset Connection

yes (recommended)

yes (recommended)

no

no

Store files

yes, you can store all matching file types

yes, you can store file types matching the file dispositions you select

yes, you can store all matching file types

yes, you can store file types matching the file dispositions you select

File Policy Notes and Limitations

File Rule Configuration Notes and Limitations

  • A rule configured to block files in a passive deployment does not block matching files. Because the connection continues to transmit the file, if you configure the rule to log the beginning of the connection, you may see multiple events logged for this connection.

  • If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the Firepower Management Center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored.

  • Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.

  • If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured files for dynamic analysis. Doing so can negatively impact system performance.

  • You cannot perform malware analysis on all file types detected by the system. After you select values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the system constrains the list of file types.

File Detection Notes and Limitations

  • If adaptive profiling is not enabled, access control rules cannot perform file control, including AMP.

  • If a file matches a rule with an application protocol condition, file event generation occurs after the system successfully identifies a file’s application protocol. Unidentified files do not generate file events.

  • FTP transfers commands and data over different channels. In a passive or inline tap mode deployment, the traffic from an FTP data session and its control session may not be load-balanced to the same internal resource.

  • If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session exceeds 1024, file events from the session may not reflect the correct file names for files that were detected after the file name buffer filled.

  • When transmitting text-based files over SMTP, some mail clients convert newlines to the CRLF newline character standard. Since Mac-based hosts use the carriage return (CR) character and Unix/Linux-based hosts use the line feed (LF) character, newline conversion by the mail client can modify the size of the file. Note that some mail clients default to newline conversion when processing an unrecognizable file type.

  • To detect ISO files, see information about the "Limit the number of bytes inspected when doing file type detection" option in File and Malware Inspection Performance and Storage Options.

File Blocking Notes and Limitations

  • If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be blocked by a Block Malware rule or the custom detection list. The system waits to block the file until the entire file has been received, as indicated by the end-of-file marker, and blocks the file after the marker is detected.

  • If the end-of-file marker for an FTP file transfer is transmitted separately from the final data segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but the file will actually completely transfer to disk.

  • File rules with Block Files and Block Malware actions block automatic resumption of file download via HTTP by blocking new sessions with the same file, URL, server, and client application detected for 24 hours after the initial file transfer attempt occurs.

  • In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble the traffic correctly and therefore will not block it or generate a file event.

  • If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with a Block Files rule, you may see a file on the destination host. However, the file is unusable because it is blocked after the download starts, resulting in an incomplete file transfer.

  • If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file transfer), the system does not inspect files transferred in an established TCP or SMB session started before you deploy an access control policy invoking the file policy so those files will not be detected or blocked.

  • If you configure Firepower Threat Defense high availability, and failover occurs while while the original active device is identifying the file, the file type is not synced. Even if your file policy blocks that file type, the new active device downloads the file.

Creating File Rules

Smart License

Classic License

Supported Devices

Supported Domains

Access

Threat (file control)

Malware (AMP for Networks)

Protection (file control)

Malware (AMP for Networks)

Any

Any

Admin/Access Admin


Caution

Enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analyis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Procedure

Step 1

In the file policy editor, click Add File Rule.

Step 2

Select an Application Protocol and Direction of Transfer as described in File Rule Components.

Step 3

Select one or more File Types.

The file types you see depend on the selected application protocol, direction of transfer, and action.

You can filter the list of file types in the following ways:

  • Select one or more File Type Categories, then click All types in selected Categories.

  • Search for a file type by its name or description. For example, type Windows in the Search name and description field to display a list of Microsoft Windows-specific files.

Tip 

Hover your pointer over a file type to view its description.

Step 4

Select a file rule Action as described in File Rule Actions and Evaluation Order.

Step 5

Depending on the action you selected, configure whether you want to:

  • reset the connection after blocking the file

  • store a matching file

  • enable Spero analysis

  • enable local malware analysis

  • enable dynamic analysis and capacity handling

as described in File Rule Actions and Evaluation Order.

Step 6

Click Add.

Step 7

Click Save to save the policy.

What to do next

Cloud Connections

The Firepower System provides connections to the following public cloud-based servers to help you perform Cisco Advanced Malware Protection (AMP):

  • AMP cloud—allows you to retrieve AMP for Networks malware dispositions and updates, and AMP for Endpoints scan records, malware detections, quarantines, and indications of compromise (IOC)

  • AMP Threat Grid cloud—allows you to submit eligible files for dynamic analysis, and retrieve threat scores and dynamic analysis reports

Depending on your organization's privacy or security needs, you can also deploy private cloud servers:

  • An AMP Private Cloud Virtual Appliance (AMPv) acts as a compressed, on-premises AMP cloud, as well as an anonymized proxy to connect to the public AMP cloud.

  • An AMP Threat Grid appliance acts as an on-premises AMP Threat Grid cloud that does not contact the public AMP Threat Grid cloud.

AMP Cloud Connections

The Advanced Malware Protection (AMP) cloud is a Cisco-hosted server that uses big data analytics and continuous analysis to help you detect and block malware on your network. Both Cisco AMP solutions use the AMP cloud:

  • AMP for Networks uses the AMP cloud to retrieve dispositions for possible malware detected in network traffic by managed devices, and obtain local malware analysis and file pre-classification updates.

  • AMP for Endpoints is Cisco’s enterprise-class AMP solution. Individual users install lightweight connectors on their computers and mobile devices that communicate with the AMP cloud. The Firepower Management Center can then import records of scans, malware detections, and quarantines, as well as indications of compromise (IOC).

Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks. For this reason, endpoint-based malware events do not add hosts to the network map. However, the system uses IP and MAC address data to tag monitored hosts with indications of compromise obtained from your AMP for Endpoints deployment. If two different hosts monitored by different AMP solutions have the same IP and MAC address, the system can incorrectly tag monitored hosts with AMP for Endpoints IOCs.

Use the AMP Management page (AMP > AMP Management) to manage connections to the AMP cloud. By default, a connection to the United States (US) AMP public cloud is configured and enabled for AMP for Networks. You cannot delete or disable an AMP for Networks cloud connection, but you can switch between the European Union (EU) and United States (US) AMP clouds, or configure a private cloud (AMPv) connection.

To add a separate FireAMP connection for endpoints, you must have an account in the FireAMP portal. An AMP for Endpoints connection that has not registered successfully to the portal does not disable AMP for Networks.

Requirements for AMP Cloud Connections

  • AMP for networks - The system uses port 443 to perform malware cloud lookups for AMP for networks, whether you use a public or private AMP cloud. You must open that port outbound for communications from the Firepower Management Center.

  • AMP for endpoints - The system uses port 443/HTTPS to connect to the Cisco cloud (public or private) to receive endpoint-based malware events. You must open that port, both inbound and outbound, for communications with the Firepower Management Center. Additionally, the Firepower Management Center must have direct access to the Internet. The default health policy includes the AMP Status Monitor, which warns you if the Firepower Management Center cannot connect to the cloud after an initial successful connection, or if the connection is deregistered using the AMP portal.

To use the legacy port for AMP communications, see Collective Security Intelligence Communications Configuration Options.

AMP and High Availability

Although they share file policies and related configurations, Firepower Management Centers in a high availability pair share neither cloud connections nor captured files, file events, and malware events. To ensure continuity of operations, and to ensure that detected files’ malware dispositions are the same on both Firepower Management Centers, both Active and Standby Firepower Management Centers must have access to the cloud.

In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.

These requirements apply to both public and private AMP clouds.

AMP Cloud Connections and Multitenancy

In a multidomain deployment, you configure the AMP for Networks connection at the Global level only. Each Firepower Management Center can have only one AMP for Networks connection. You can configure AMP for Endpoints connections at any domain level, provided you use a separate AMP for Endpoints account for each connection. For example, each client of an MSSP might have its own AMP for Endpoints deployment.


Caution

Cisco strongly recommends you configure AMP for Endpoints connections at the leaf level only, especially if your leaf domains have overlapping IP space. If multiple subdomains have hosts with the same IP-MAC address pair, the system could save endpoint-based malware events to the wrong leaf domain, or associate IOCs with the wrong hosts.

Configuring an AMP for Endpoints Cloud Connection

Smart License

Classic License

Supported Devices

Supported Domains

Access

Any

Any

Any

Any

Admin

If your organization has deployed AMP for Endpoints, you can import threat identifications, indications of compromise (IOC), and other malware-related information from the AMP cloud to the system. You must configure an AMP for Endpoints connection even if you already have a AMP for Networks connection configured.


Caution

In a multidomain deployment, Cisco strongly recommends you configure AMP for Endpoints connections at the leaf level only, especially if your leaf domains have overlapping IP space. If multiple subdomains have hosts with the same IP-MAC address pair, the system could save endpoint-based malware events to the wrong leaf domain, or associate IOCs with the wrong hosts.

Before you begin

  • AMP for Endpoints must be set up and working on your network.

  • If you are connecting to the AMP cloud after either restoring your Firepower Management Center to factory defaults or reverting to a previous version, use the AMP for Endpoints management console to remove the previous connection.

Procedure
Step 1

Choose AMP > AMP Management.

Step 2

Click Create AMP Cloud Connection.

Step 3

From the Cloud Name drop-down list, choose the cloud you want to use:

  • For the European Union AMP cloud, choose EU Cloud.

  • For the United States AMP cloud, choose US Cloud.

  • For AMPv, choose Private Cloud and proceed as described in Cisco AMP Private Clouds.

Step 4

Check the Use for AMP for Firepower check box if you want to use this cloud for AMP for Networks and AMP for Endpoints.

In a multidomain deployment, this check box appears only in the Global domain. Each Firepower Management Center can have only one AMP for Networks connection.

Step 5

Click Register.

A spinning state icon indicates that a connection is pending, for example, after you configure a connection on the Firepower Management Center, but before you authorize it using the AMP for Endpoints management console. A failed or denied icon () indicates that the cloud denied the connection or the connection failed for another reason.

Step 6

Confirm that you want to continue to the AMP for Endpoints management console, then log into the management console.

Step 7

Using the management console, authorize the AMP cloud to send AMP for Endpoints data to the Firepower Management Center.

Step 8

If you want to restrict the data you receive, select specific groups within your organization for which you want to receive information.

By default, the AMP cloud sends data for all groups. To manage groups, choose Management > Groups on the AMP for Endpoints management console. For detailed information, see the management console online help.

Step 9

Click Allow to enable the connection and start the transfer of data.

Clicking Deny returns you to the Firepower Management Center, where the connection is marked as denied. If you navigate away from the Applications page on the AMP for Endpoints management console, and neither deny nor allow the connection, the connection is marked as pending on the Firepower Management Center’s web interface. The health monitor does not alert you of a failed connection in either of these situations. If you want to connect to the AMP cloud later, delete the failed or pending connection, then recreate it.

Incomplete registration of an AMP for Endpoints connection does not disable the AMP for Networks connection.

Step 10

To verify that the connection is correctly configured:

  1. On the AMP > AMP Management page, click the Cloud Name that includes AMP for Endpoints in the Cisco AMP Solution Type column.

  2. In the AMP for Endpoints console window that displays, choose Accounts > Applications.

  3. Verify that your Firepower Management Center is on the list.

What to do next

  • In the AMP for Endpoints console window, configure settings as needed. For example, define group membership for your management center and assign policies. For information, see the AMP for Endpoints online help or other documentation.

  • In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.

Access the AMP for Endpoints Management Console

Smart License

Classic License

Supported Devices

Supported Domains

Access

Any

Any

Any

Any

Admin


Tip

For information about using AMP for Endpoints and its console, see the online help in the console or other documentation available from https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/tsd-products-support-series-home.html

You can access the AMP for Endpoints console from the Firepower Management Center.

Before you begin

The connection to AMP for Endpoints must be configured (see Configuring an AMP for Endpoints Cloud Connection) and Firepower Management Center must be able to connect to the AMP cloud.

Procedure
Step 1

Choose AMP > AMP Management.

Step 2

Click the cloud name in the table.

Cisco AMP Private Clouds

You can configure a Cisco AMP Private Cloud Virtual Appliance (AMPv) to collect AMP endpoint data on your network. AMPv is a proprietary Cisco virtual machine that acts as a compressed, on-premises version of the AMP cloud.

All AMP for Endpoints connectors send data to AMPv, which forwards that data to the Firepower Management Center. AMPv does not share any of your endpoint data over an external connection. The Firepower Management Center connects to the public AMP cloud for disposition queries for files detected in network traffic and receipt of retrospective malware events.

Your organization may have privacy or security concerns that make frequent or direct connections between your monitored network and the AMP cloud difficult or impossible. In these situations, you can configure a Cisco AMP Private Cloud Virtual Appliance (AMPv). AMPv is a proprietary Cisco virtual machine that acts as a compressed, on-premises version of the AMP cloud, as well as a secure mediator between your network and the AMP cloud. Connecting a Firepower Management Center to AMPv disables existing direct connections to the AMP cloud.

All connections to the AMP cloud—whether for AMP for Networks or AMP for Endpoints—funnel through AMPv, which acts as an anonymized proxy to ensure the security and privacy of your monitored network. This includes disposition queries for files detected in network traffic, receiving of retrospective malware events, importing AMP for Endpoints data, and so on. AMPv does not share any of your endpoint data over an external connection.

Each private cloud can support as many as 10,000 AMP for Endpoints connectors, and you can configure multiple private clouds.

Use the AMP Management page (AMP > AMP Management) on the Firepower Management Center to manage connections to AMPv.


Note

Dynamic analysis, a component of AMP for Networks, requires that managed devices have direct or proxied access to the AMP Threat Grid cloud or an on-premises AMP Threat Grid appliance on port 443. AMPv does not support dynamic analysis, nor does AMPv support anonymized retrieval of threat intelligence for other features that rely on Cisco Collective Security Intelligence (CSI), such as URL and Security Intelligence filtering.

Connecting to AMPv

Smart License

Classic License

Supported Devices

Supported Domains

Access

Malware (AMP for Networks)

Any (AMP for Endpoints)

Malware (AMP for Networks)

Any (AMP for Endpoints)

Any

Any

Admin

Before you begin

  • Configure your Cisco AMP private cloud or clouds according to the directions in the AMPv documentation. During configuration, note the private cloud host name. You will need this host name later to configure the connection on the Firepower Management Center.

  • Make sure the Firepower Management Center can communicate with AMPv, and confirm that AMPv has internet access so it can communicate with the AMP cloud.

Procedure
Step 1

Choose AMP > AMP Management.

Step 2

Click Create AMP Cloud Connection.

Step 3

From the Cloud Name drop-down list, choose Private Cloud.

Step 4

Enter a Name.

This information appears in malware events that are generated or transmitted by AMPv.

Step 5

In the Host field, enter the private cloud host name that you configured when you set up AMPv.

Step 6

Click Browse next to the Certificate Upload Path field to browse to the location of a valid TLS or SSL encryption certificate for AMPv. For more information, see the AMPv documentation.

Step 7

Check the Use for AMP for Firepower check box if you want to use this private cloud for AMP for Networks and AMP for Endpoints.

If you configured a different private cloud to handle AMP for Networks communications, you can clear this check box; if this is your only AMPv connection, you cannot.

In a multidomain deployment, this check box appears only in the Global domain. Each Firepower Management Center can have only one AMP for Networks connection.

Step 8

To communicate with AMPv using a proxy, check the Use Proxy for Connection check box.

Step 9

Click Register, confirm that you want to disable existing direct connections to the AMP cloud, and finally confirm that you want to continue to the AMPv management console to complete registration.

Step 10

Log into the management console and complete the registration process. For further instructions, see the AMPv documentation.

What to do next

In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.

Managing AMP Cloud and AMPv Connections

Smart License

Classic License

Supported Devices

Supported Domains

Access

Malware (AMP for Networks)

Any (AMP for Endpoints)

Malware (AMP for Networks)

Any (AMP for Endpoints)

Any

Any

Admin

Use the Firepower Management Center to delete an AMP cloud or AMPv connection if you no longer want to receive malware-related information from the cloud. Note that deregistering a connection using the AMP for Endpoints or AMPv management console does not remove the connection from the system. Deregistered connections display a failed state on the Firepower Management Center web interface.

You can also temporarily disable a connection. When you reenable a cloud connection, the cloud resumes sending data to the system, including queued data from the disabled period.


Caution

For disabled connections, the AMP cloud and AMPv can store malware events, indications of compromise, and so on until you re-enable the connection. In rare cases—for example, with a very high event rate or a long-term disabled connection—the cloud may not be able to store all information generated while the connection is disabled.

In a multidomain deployment, the system displays connections created in the current domain, which you can manage. It also displays connections created in ancestor domains, which you cannot manage. To manage connections in a lower domain, switch to that domain. Each Firepower Management Center can have only one AMP for Networks connection, which belongs to the Global domain.

Procedure
Step 1

Select AMP > AMP Management.

Step 2

Manage your AMP cloud connections:

  • Delete — Click the delete icon (), then confirm your choice.
  • Enable or Disable — Click the slider, then confirm your choice.
What to do next

In high availability configurations, you must configure AMP cloud connections independently on the Active and Standby instances of the Firepower Management Center; these configurations are not synchronized.

Dynamic Analysis Connections

The AMP Threat Grid cloud runs files in a sandbox environment. AMP for Networks uses the cloud to retrieve threat scores and dynamic analysis reports for dynamic analysis-submitted files. With the appropriate license, the system automatically has access to the cloud.

If your organization's security policy does not allow the Firepower System to send files outside of your network, you can configure an on-premises AMP Threat Grid appliance. See the Cisco AMP Threat Grid Appliance Setup and Configuration Guide for more information.

Use the Dynamic Analysis Connections page (AMP > Dynamic Analysis Connections) on the Firepower Management Center to manage public dynamic analysis connections to the AMP Threat Grid cloud and a private dynamic analysis connection to an on-premises AMP Threat Grid appliance.


Note

For information about the button on the AMP > Dynamic Analysis Connections page, see Enabling Access to Dynamic Analysis Results in the Public Cloud.

Viewing the Default Dynamic Analysis Connection

Smart License

Classic License

Supported Devices

Supported Domains

Access

Malware

Malware

Any

Global only

Admin/Access Admin/Network Admin

By default, the Firepower Management Center can connect to the public AMP Threat Grid cloud for file submission and report retrieval. You can neither configure nor delete this connection.

Procedure
Step 1

Choose AMP > Dynamic Analysis Connections.

Step 2

Click the edit icon ().

Enabling Access to Dynamic Analysis Results in the Public Cloud

Smart License

Classic License

Supported Devices

Supported Domains

Access

Malware

Malware

Any

Global only

Admin/Access Admin/Network Admin

Cisco AMP Threat Grid offers more detailed reporting on analyzed files than is available in the Firepower Management Center. If your organization has an account in the Cisco AMP Threat Grid public cloud, you can access the Cisco AMP Threat Grid portal directly to view additional details about files sent for analysis from your managed devices. However, for privacy reasons, file analysis details are available only to the organization that submitted the files. Therefore, before you can view this information, you must associate your Firepower Management Center with the files submitted by its managed devices.

Before you begin

You must have an account on the Cisco AMP Threat Grid public cloud, and have your account credentials ready.

Procedure
Step 1

Select AMP > Dynamic Analysis Connections.

Step 2

Click in the table row corresponding to the Cisco AMP Threat Grid public cloud.

A Cisco AMP Threat Grid portal window opens.
Step 3

Sign in to the Cisco AMP Threat Grid public cloud.
Step 4

Click Submit Query.

Note 

Do not change the default value in the Devices field.

If you have difficulties with this process, contact your Cisco AMP Threat Grid representative at Cisco TAC.

It may take up to 24 hours for this change to take effect.

What to do next

After the association is activated, see Viewing Dynamic Analysis Results in the Cisco AMP Threat Grid Public Cloud.

Threat Grid On-Premises Appliance

If your organization has privacy or security concerns with submitting files to the public AMP Threat Grid cloud, you can deploy an on-premises AMP Threat Grid appliance. Like the public cloud, the on-premises appliance runs eligible files in a sandbox environment, and returns a threat score and dynamic analysis report to the Firepower System. However, the on-premises appliance does not communicate with the public cloud, or any other system external to your network.

You can connect one on-premises AMP Threat Grid appliance to the Firepower Management Center. See the Cisco AMP Threat Grid Appliance Setup and Configuration Guide for more information.

If you configure a dynamic analysis connection to an on-premises appliance, the system uses the public AMP cloud to perform malware cloud lookups, and verify that files have not been previously submitted for dynamic analysis.

The system also uses the default public dynamic analysis connection to the AMP cloud for public report retrieval. If your on-premises appliance did not generate a dynamic analysis report for the file, the system queries the public AMP cloud for the dynamic analysis report. Unless your organization submits a file, you can only view a scrubbed report containing limited data.

Configuring an On-Premises Dynamic Analysis Connection

Smart License

Classic License

Supported Devices

Supported Domains

Access

Malware

Malware

Any

Global only

Admin/Access Admin/Network Admin

If you install an on-premises AMP Threat Grid appliance on your network, you can configure a dynamic analysis connection to submit files and retrieve reports from the appliance. When configuring the on-premises appliance dynamic analysis connection, you register the Firepower Management Center to the on-premises appliance.

Before you begin

  • Set up an on-premises AMP Threat Grid appliance; see the Cisco AMP Threat Grid Appliance Setup and Configuration Guide.

  • Download the public key certificate from the AMP Threat Grid appliance to use for logins to the on-premises appliance; see the Cisco AMP Threat Grid Appliance Administrator's Guide.

  • Configure a proxy if you want to connect to the on-premises appliance using a proxy; see Configure Firepower Management Center Management Interfaces.

Procedure
Step 1

Choose AMP > Dynamic Analysis Connections.

Step 2

Click Add New Connection.

Step 3

Enter a Name.

Step 4

Enter a Host URL.

Step 5

Next to Certificate Upload, click Browse to upload the public key certificate you want to use to establish connections with the on-premises appliance.

Step 6

If you want to use a configured proxy to establish the connection, select Use Proxy When Available.

Step 7

Click Register.

Step 8

Click Yes to display the on-premises AMP Threat Grid appliance login page.

Step 9

Enter your username and password to the on-premises AMP Threat Grid appliance.

Step 10

Click Sign in.

Step 11

You have the following options:

  • If you previously registered the Firepower Management Center to the on-premises appliance, click Return.
  • If you did not register the Firepower Management Center, click Activate.

Collective Security Intelligence Communications Configuration

The Firepower System uses Cisco’s Collective Security Intelligence (CSI) for reputation, risk, and threat intelligence. With the correct licenses, you can specify communications options for the URL Filtering and AMP for Networks features.

Collective Security Intelligence Communications Configuration Options

URL Filtering Options

Enable URL Filtering

Allows traffic filtering based on a website’s general classification, or category, and risk level, or reputation. Adding a URL Filtering license automatically enables Enable URL Filtering. URL filtering must be enabled before you can choose other URL filtering options.

When you enable URL filtering, depending on how long since URL filtering was last enabled, or if this is the first time you are enabling URL filtering, the Firepower Management Center downloads URL data from Cisco Collective Security Intelligence (Cisco CSI). This process may take some time.

Enable Automatic Updates

Options for updating URL filtering threat data:

  • If you enable the Enable Automatic Updates option on this page, the Firepower Management Center checks the cloud every 30 minutes for updates. This option is enabled by default when you add a URL filtering license.

  • If you need strict control over when the system contacts external resources, disable automatic updates on this page and instead create a recurring task using the scheduler. See Automating URL Filtering Updates Using a Scheduled Task.

Update Now

You can perform a one-time, on-demand update by clicking the Update Now button at the top of this dialog box, but you should also either enable automatic updates or create a recurring task using the scheduler. You cannot start an on-demand update if an update is already in progress.

Although daily updates tend to be small, if it has been more than five days since your last update, new URL data may take up to 20 minutes to download, depending on your bandwidth. Then, it may take up to 30 minutes to perform the update itself.

Query Cisco CSI for Unknown URLs

Allows the system to submit URLs to the cloud for threat intelligence evaluation when users browse to a website whose category and reputation are not in the local dataset. Disable this option if you do not want to submit your uncategorized URLs, for example, for privacy reasons.

Connections to uncategorized URLs do not match rules with category or reputation-based URL conditions. You cannot assign categories or reputations to URLs manually.

AMP for Networks Options

Enable Automatic Local Malware Detection Updates

The local malware detection engine statically analyzes and preclassifies files using signatures provided by Cisco. If you enable this option, the Firepower Management Center checks for signature updates once every 30 minutes.

Share URI from Malware Events with Cisco

The system can send information about the files detected in network traffic to the AMP cloud. This information includes URI information associated with detected files and their SHA-256 hash values. Although sharing is opt-in, transmitting this information to Cisco helps future efforts to identify and track malware.

Use Legacy Port 32137 for AMP for Networks

By default, AMP for Networks uses port 443/HTTPS to communicate with the AMP cloud (or AMPv). This option allows AMP for Networks to use port 32137. If you updated from a previous version of the system, this option may be enabled.

Configuring Communications with Collective Security Intelligence

Smart License

Classic License

Supported Devices

Supported Domains

Access

URL Filtering (URL filtering)

Malware (AMP for Networks)

URL Filtering (URL filtering)

Malware (AMP for Networks)

Any

Any

Admin

Before you begin

If you will use category and reputation-based URL filtering on an NGIPSv device, see the Firepower System Virtual Installation Guide for information on allocating the correct amount of memory.

Procedure

Step 1

Choose System > Integration.

Step 2

Click the Cisco CSI tab.

Step 3

Configure Cisco CSI communications as described in Collective Security Intelligence Communications Configuration Options.

Step 4

Click Save.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us