Saturday, November 2, 2019

Configuring Cisco FTD Malware, File and IPS Policy via FDM

Before configuring Malware and File Blocking Policy, go to Devices > Traffic Settings > URL Filter Preferences.

Select Query Cisco CSI for Unknown URLs > click Save.

This enables the FTD to query Cisco Security Intelligence (CSI) Cloud for malicious file and malware analysis.
 


To configure a Malware, IPS and File Policy, go to Policies > Access Control > click add (plus icon).


Select Order: 3 > type a Title: BLOCK-MALWARE-PDF-IPS > Action: Allow > Source Zone: inside_zone > Networks: INSIDE-NET

Notice the Action: Allow is needed for Malware and File inspection engine to work properly.
 

Go to File Policy tab > Select The File Policy: Block Office Document and PDF Upload, Block Malware Others > click OK.


Go to Intrusion Policy tab > toggle Intrusion Policy to enable > select Balanced Security and Connectivity.



Go to Logging tab > Select Log Action: At Beginning and End of Connection > click OK.


Click Deployment > Deploy Now.



To test the Malware blocking policy, you can download an EICAR test file. It's a harmless file used for testing Antivirus and IDS/IPS policy or signature.


I was unable to download the EICAR test file and got a web page was blocked (page can't be displayed).




To view Malware Block logs, go to Monitoring > Events > Malware File > View Details.


Hover to a specific Event > View Details to view more info.







Type Rule Action=Block in the Filter field to filter or narrow down Event Connections. Click Filter and hover a specific Event


Hover to a specific Event > View Details to view more info.





To test PDF File Upload, go to tinyupload.com > browse and choose a PDF file > click Upload.


Notice the file upload is indeterminated (unknown).


To view Event logs, go to Monitoring > Events > type Rule Action=Block in the Filter field > click Filter. Hover a specific Event Connection > View Details.




No comments:

Post a Comment