Add rules to File Filtering Policy elements
The rules in the File Filtering Policy allow you to define rule-specific options for malware detection.
Before you begin
You must create a File Filtering Policy element.
Rules are read from the top down. Place more specific rules above more general rules that match the same traffic. For example, if there is a rule that allows a file type without scanning above a rule that applies scanning, the matching files are allowed without scanning.
For more details about the product and how to configure features, click Help or press F1.
Steps
File Filtering Policy Editing view
Use this view to edit a File Filtering Policy element.
Option | Definition |
---|---|
Resources | Use this pane to create and add elements to a policy. |
Search | Opens a search field for the selected element list. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
New | Opens the associated dialog box to create an element. |
Tools | Show Deleted Elements — Shows elements that have been moved to the Trash. |
Option | Definition |
---|---|
Policy Toolbar | |
Save | Saves the changes. |
Undo operation | Undoes the last change made. |
Redo operation | Redoes the last change that was undone. |
Tools |
|
Option | Definition |
---|---|
File Filtering rules table | |
ID | Shows the order of the rules.
Right-clicking this type of cell opens these menu items:
|
Source | The source of the file. The source is the source of the file transfer, not the source of the connection.
Right-clicking on this type of cell opens these menu items:
|
Destination | The destination of the file. The destination is the destination of the file transfer, not the destination of the connection.
Right-clicking on this type of cell opens these menu items:
|
File Type |
The file types that are filtered. Right-clicking on this type of cell opens these menu items:
|
Action |
Command for the engine to carry out when a connection matches the rule. Right-clicking on this type of cell opens these menu items:
|
Logging |
Options for logging. Right-clicking on this type of cell opens these menu items:
|
Comment |
An optional free-form comment for this rule. You can also add separate comment rows in between rules. Right-clicking on this type of cell opens these menu items:
|
Rule Name |
Contains a rule tag and optionally a rule name.
Right-clicking this type of cell opens these menu items:
|
Permit all |
Right-clicking on this type of cell opens these menu items:
|
Option | Definition |
---|---|
Info pane | Use this pane to view more information about the selected element. The available tabs depend on the type of element selected. |
File Type Situation Tag Properties dialog box
Use this dialog box to view the properties of a File Type Situation Tag element. You cannot edit File Type Situation Tag elements.
Option | Definition |
---|---|
Name | Shows the name of the element. |
Comment | Shows a description of the element. |
File Type Situation Properties dialog box
Use this dialog box to view the properties of a File Type Situation element. You cannot edit File Type Situation elements.
Option | Definition |
---|---|
General tab | |
Name | Shows the name of the Situation. |
Comment | Shows a description of the Situation. |
Description | Shows the description that appears in the logs when this file type is detected. |
Severity | Shows the severity value that appears in the logs when this file type is detected. |
Last Update in | Shows the dynamic update package number in which this Situation was last updated. |
Supported Engine Versions | Shows the NGFW Engine versions that are compatible with this Situation. |
Category | Shows the predefined categories that include this Situation. |
Select | Not available in this dialog box. |
Option | Definition |
---|---|
Context tab | |
Context | Shows the selected Context for this Situation. |
Select | Not available in this dialog box. |
match | Shows the expression used for matching this file type. |
ATD File Type | Shows the file type that is used for Advanced Threat Defense malware detection. |
Option | Definition |
---|---|
Tags tab — Shows information about the tags associated with the Situation. | |
Add Tags | Not available in this dialog box. |
Select Rule Action Options dialog box (File Filtering — Allow)
Use this dialog box to define the options for the Allow action in the File Filtering Policy.
Option | Definition |
---|---|
Decompress Archives and Rematch Content |
When selected, all the extracted files from a .zip archive file are matched against the rules in the File Filtering Policy. Nested archives are handled up to 4 levels deep, after which the "Nested archive limit reached" Situation is triggered. In the logs, the name of the .zip file is in the Archive File column, and the paths and file names in the .zip file are in the File Name column. |
Select Rule Action Options dialog box (File Filtering — Allow After)
Use this dialog box to define the options for the Allow After action in the File Filtering Policy.
Option | Definition |
---|---|
File Reputation Scan | When selected, a checksum of the file is sent to the McAfee Global Threat Intelligence cloud or the McAfee TIE
cloud to be scanned, depending on which file reputation service is enabled in the engine properties. If available, a file reputation is returned. Drag the slider to select whether the file is discarded or allowed based on the file reputation.
Note: If more file scanning methods are enabled, there are two sliders. If the file reputation falls between the two sliders, the next malware detection scan starts.
|
Anti-Malware Scan | When selected, the file is scanned for malware by Forcepoint NGFW.
Note: If the next file scanning method is enabled and the file is not infected, the next malware detection scan starts.
|
Advanced Malware Sandbox Scan | When selected, a checksum of the file is sent to a Forcepoint Advanced Malware Detection sandbox server. If available, a file reputation is returned. If the file is unknown, the file is sent to the Forcepoint Advanced Malware Detection server to be scanned. When the scan is complete, a file reputation is returned. Drag the slider to select whether the file is discarded or allowed based on the file reputation.
|
Delay file transfer until the analysis results are received | When selected, processing of the file transfer stops until the NGFW engine receives the analysis result from the Forcepoint Advanced Malware Detection sandbox server. When the NGFW engine receives the result, it allows or discards
the file based on the file reputation. Note: This option applies only to files that have not previously been analyzed by the Forcepoint Advanced Malware Detection sandbox server. For files that have previously been analyzed, the Forcepoint Advanced Malware Detection sandbox server returns the file reputation
immediately.
|
File Buffering Level |
Defines how much of the file is allowed or blocked until the malware detection scans are completed. Note: If DLP Scan Using ICAP is selected on the Data Protection tab, this option is ignored and the whole file is blocked
until the DLP scan is completed.
Note: This option is ignored for Capture Interfaces and when Connection Termination is set to Only Log Connection for the
engine.
Note: For SMTP, POP3, and IMAP traffic, selecting Low or Medium has the same effect as selecting High.
|
Log Level When File Is Discarded |
|
Action When No Scanners Are Available | The action when none of the enabled malware detection scanning methods are available, for example due to loss of network connectivity.
|
Decompress Archives and Rematch Content | When selected, all the extracted files from a .zip archive file are matched against the rules in the File Filtering Policy. Nested archives are handled up
to 4 levels deep, after which the "Nested archive limit reached" Situation is triggered. In the logs, the name of the .zip file is in the Archive File column, and the paths and file names in the .zip file are in the File Name column. |
Option | Definition |
---|---|
DLP Scan Using ICAP | When selected, the client request is forwarded to the integrated ICAP servers. The NGFW Engine allows or blocks the file depending on the response it receives from the ICAP server. |
File Size Limit(Optional) | The maximum file size in megabytes (MB). The default value is 50 MB. |
Action When File Exceeds Size Limit | The action when the file is larger than the maximum file size.
|
Action When No ICAP Servers Are Available | The action when none of the integrated ICAP servers are available, for example due to excessive load on the servers.
|
Logging - Select Rule Options dialog box (File Filtering rules)
Use this dialog box to define File Filtering rule logging options.
Option | Definition |
---|---|
Override Log Settings for connection | Overrides the logging settings defined in the Access rule in which file filtering is enabled. |
Log Level | Select one of these options:
|
Alert | Specifies that the Alert that is sent when the rule matches (the Default alert or a custom Alert element). Selecting different Alerts for different types of rules allows more fine-grained alert escalation policies. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |