Add rules to File Filtering Policy elements

The rules in the File Filtering Policy allow you to define rule-specific options for malware detection.

Before you begin

You must create a File Filtering Policy element.

Rules are read from the top down. Place more specific rules above more general rules that match the same traffic. For example, if there is a rule that allows a file type without scanning above a rule that applies scanning, the matching files are allowed without scanning.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Add a rule in one of the following ways:
    • Right-click the last row in an empty policy, then select Add Rule.
    • Right-click the ID cell of an existing rule, then select Add Rule Before or Add Rule After.
  2. Drag and drop elements from the Resources pane to the Source and Destination cells, or define source and destination criteria.
    Note: The Source and Destination fields are the source and destination of the file transfer, not the source and destination of the connection.
    A client in the internal network downloads a file from a web server on the Internet. The source is the web server that served the file. The destination is the client computer.
  3. Drag and drop File Type Situations from the Resources pane to the File Type cell.
  4. Right-click the Action cell, then select the action.
  5. If you selected Allow After, select options for malware detection scans.
    The scanning methods are applied in the order in which they are listed. If a file transfer is not blocked by an earlier scan, the action specified for the last scanning method determines whether the file transfer is allowed or blocked. If none of the enabled malware detection scanning methods are available, the action specified for the Action When No Scanners Are Available option determines whether the file transfer is allowed or blocked.
  6. (Optional) To configure the logging options, double-click the Logging cell in the rule.
  7. Click Save.

File Filtering Policy Editing view

Use this view to edit a File Filtering Policy element.

Option Definition
Resources Use this pane to create and add elements to a policy.
Search Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New Opens the associated dialog box to create an element.
Tools Show Deleted Elements — Shows elements that have been moved to the Trash.
Option Definition
Policy Toolbar
Save Saves the changes.
Undo operation Undoes the last change made.
Redo operation Redoes the last change that was undone.
Tools
  • Validate — Validates the rules in the policy. Opens the Validate Policy dialog box in which you can select which issues are checked in the rules.
  • Expand Rule Sections — If you have added Rule Sections, they are expanded.
  • Collapse Rule Sections — If you have added Rule Sections, and they are expanded, they are all collapsed.
Option Definition
File Filtering rules table
ID Shows the order of the rules.
Right-clicking this type of cell opens these menu items:
  • Cut Rule — Copies the rule to the clipboard and deletes the rule from the policy.
  • Copy Rule — Copies the rule from the policy.
  • Paste — Pastes the rule into the policy.
  • Delete Rule — Deletes the rule from the policy.
  • Disable Rule — Temporarily disables the rule without deleting it.
  • Add Rule Before — Adds the new rule before the selected rule or section.
  • Add Rule After — Adds the new rule after the selected rule or section.
  • Add Rule Section Before — Creates a collapsible section before the selected rule or section.
  • Add Rule Section After — Creates a collapsible section after the selected rule or section.
  • Move Rule Up — Moves the rule position up the list.
  • Move Rule Down — Moves the rule position down the list.
  • Show Related Logs — Filters the logs based on the identifier.
Source The source of the file. The source is the source of the file transfer, not the source of the connection.
Right-clicking on this type of cell opens these menu items:
  • Edit Source — Opens the Rule Source Definitions dialog box.
  • Set to ANY — Sets ANY as the cell's value.
  • Clear Cell or Remove — Removes the content of the cell.
  • Properties — Opens the element Properties dialog box.
  • Copy — Copies the content of the cell.
  • Rule — Opens a menu of list items for the cell.
  • References — Shows references to the selected element.
Destination The destination of the file. The destination is the destination of the file transfer, not the destination of the connection.
Right-clicking on this type of cell opens these menu items:
  • Edit Destination — Opens the Rule Destination Definitions dialog box.
  • Set to ANY — Sets ANY as the cell's value.
  • Clear Cell or Remove — Removes the content of the cell.
  • Properties — Opens the element Properties dialog box.
  • Copy — Copies the content of the cell.
  • Rule — Opens a menu of list items for the cell.
  • References — Shows references to the selected element.
File Type

The file types that are filtered.

Right-clicking on this type of cell opens these menu items:
  • Set to ANY — Sets ANY as the cell's value.
  • Clear Cell or Remove — Removes the content of the cell.
  • Properties — Opens the element Properties dialog box.
  • Copy — Copies the content of the cell.
  • Rule — Opens a menu of list items for the cell.
  • References — Shows references to the selected element.
Action

Command for the engine to carry out when a connection matches the rule.

Right-clicking on this type of cell opens these menu items:
  • Allow — The file transfer is allowed without malware detection scanning.
  • Allow After — The specified malware detection scans are applied to the file. If the file meets the requirements specified in the rule action options, the file transfer is allowed. Otherwise, the file is discarded.
  • Discard — The file transfer is discarded without sending an ICMP error message or TCP reset to the source. This action cannot be applied to traffic picked up through Capture Interfaces on an IPS engine or Layer 2 Engine.
  • Rule — Opens a menu of list items for the cell.
Logging

Options for logging.

Right-clicking on this type of cell opens these menu items:
  • Edit Logging — Opens the Logging - Select Rule Options dialog box.
  • Clear Cell or Remove — Removes the content of the cell.
  • Rule — Opens a menu of list items that are the same as for the ID cell.
Comment

An optional free-form comment for this rule. You can also add separate comment rows in between rules.

Right-clicking on this type of cell opens these menu items:
  • Edit Comment — Opens a text area that allows you to edit the comment.
  • Clear Cell or Remove — Removes the content of the cell.
  • Rule — Opens a menu of list items for the cell.
Rule Name
Contains a rule tag and optionally a rule name.
  • Name — (Optional) Name or description for the rule. Displayed alongside the rule tag.
  • Rule tag — (Not editable) Automatically assigned unique identification for the rule. Works as a link between the log entries and the rule that has generated the log entries. The rule tag consists of two parts (for example, @20.1). The first part of the tag is permanent and belongs to only that rule. The second part changes when the rule is changed. The first part and the second part are separated by a period.
Right-clicking this type of cell opens these menu items:
  • Edit Rule Name — Opens a text area that allows you to edit the rule name.
  • Clear Cell or Remove — Removes the cell content.

  • Properties — Opens the Rule Properties dialog box.

  • Remaining list items are the same as for the ID cell.
Permit all
Right-clicking on this type of cell opens these menu items:
  • Add Rule Before — Adds the new rule before the rule.
  • Add Rule Section Before — Creates a collapsible section before the rule.
Option Definition
Info pane Use this pane to view more information about the selected element. The available tabs depend on the type of element selected.

File Type Situation Tag Properties dialog box

Use this dialog box to view the properties of a File Type Situation Tag element. You cannot edit File Type Situation Tag elements.

Option Definition
Name Shows the name of the element.
Comment Shows a description of the element.

File Type Situation Properties dialog box

Use this dialog box to view the properties of a File Type Situation element. You cannot edit File Type Situation elements.

Option Definition
General tab
Name Shows the name of the Situation.
Comment Shows a description of the Situation.
Description Shows the description that appears in the logs when this file type is detected.
Severity Shows the severity value that appears in the logs when this file type is detected.
Last Update in Shows the dynamic update package number in which this Situation was last updated.
Supported Engine Versions Shows the Secure SD-WAN Engine versions that are compatible with this Situation.
Category Shows the predefined categories that include this Situation.
Select Not available in this dialog box.
Option Definition
Context tab
Context Shows the selected Context for this Situation.
Select Not available in this dialog box.
match Shows the expression used for matching this file type.
ATD File Type Shows the file type that is used for Advanced Threat Defense malware detection.
Option Definition
Tags tab — Shows information about the tags associated with the Situation.
Add Tags Not available in this dialog box.

Select Rule Action Options dialog box (File Filtering — Allow)

Use this dialog box to define the options for the Allow action in the File Filtering Policy.

Option Definition
Decompress Archives and Rematch Content

When selected, all the extracted files from a .zip archive file are matched against the rules in the File Filtering Policy. Nested archives are handled up to 4 levels deep, after which the "Nested archive limit reached" Situation is triggered.

In the logs, the name of the .zip file is in the Archive File column, and the paths and file names in the .zip file are in the File Name column.

Select Rule Action Options dialog box (File Filtering — Allow After)

Use this dialog box to define the options for the Allow After action in the File Filtering Policy.

Table 1. Anti-Malware tab
Option Definition
File Reputation Scan When selected, a checksum of the file is sent to the McAfee Global Threat Intelligence cloud to be scanned. If available, a file reputation is returned.

Drag the slider to select whether the file is discarded or allowed based on the file reputation.

  • If the file reputation is to the left of the slider, the file is discarded.
  • If the file reputation is to the right of the slider, the file is allowed.
Note: If other file scanning methods are enabled, there are two sliders. If the file reputation falls between the two sliders, the next malware detection scan starts.
Anti-Malware Scan When selected, the file is scanned for malware by Secure SD-WAN.
  • If the file is infected, it is discarded.
  • If the file is not infected, it is allowed.
Note: If the next file scanning method is enabled and the file is not infected, the next malware detection scan starts.
Advanced Malware Sandbox Scan When selected, a checksum of the file is sent to a Forcepoint Advanced Malware Detection sandbox server. If available, a file reputation is returned.

If the file is unknown, the file is sent to the Forcepoint Advanced Malware Detection server to be scanned. When the scan is complete, a file reputation is returned.

Drag the slider to select whether the file is discarded or allowed based on the file reputation.

  • If the file reputation is to the left of the slider, the file is discarded.
  • If the file reputation is to the right of the slider, the file is allowed.
Delay file transfer until the analysis results are received When selected, processing of the file transfer stops until the Secure SD-WAN engine receives the analysis result from the Forcepoint Advanced Malware Detection sandbox server. When the Secure SD-WAN engine receives the result, it allows or discards the file based on the file reputation.
Note: This option applies only to files that have not previously been analyzed by the Forcepoint Advanced Malware Detection sandbox server. For files that have previously been analyzed, the Forcepoint Advanced Malware Detection sandbox server returns the file reputation immediately.
File Buffering Level

Defines how much of the file is allowed or blocked until the malware detection scans are completed.

Note: If DLP Scan Using ICAP is selected on the Data Protection tab, this option is ignored and the whole file is blocked until the DLP scan is completed.
Note: This option is ignored for Capture Interfaces and when Connection Termination is set to Only Log Connection for the engine.
  • None — The whole file is allowed through before the malware detection scans are completed.

    This option minimizes the delay to the file transfer, but does not block malware.

  • Low — The last few bytes of the file are blocked until the malware detection scans are completed.
  • Medium — Part of the file is blocked until the malware detection scans are completed.
  • High — The whole file is blocked until the malware detection scans are completed.

    This option provides the highest level of security, but can delay the file transfer.

    Note: For HTTP traffic, if the file is very large, the whole file cannot be blocked.
Note: For SMTP, POP3, and IMAP traffic, selecting Low or Medium has the same effect as selecting High.
Log Level When File Is Discarded
  • None — Does not create any log entry when malware is detected or blocked.
  • Stored— Creates a log entry that is stored on the Log Server when malware is detected or blocked.
  • Alert — Triggers an alert when malware is detected or blocked.
Action When No Scanners Are Available The action when none of the enabled malware detection scanning methods are available, for example due to loss of network connectivity.
  • Allow — The file is allowed.
  • Discard — The file is discarded.
Decompress Archives and Rematch Content When selected, all the extracted files from a .zip archive file are matched against the rules in the File Filtering Policy. Nested archives are handled up to 4 levels deep, after which the "Nested archive limit reached" Situation is triggered.

In the logs, the name of the .zip file is in the Archive File column, and the paths and file names in the .zip file are in the File Name column.

Table 2. Data Protection tab
Option Definition
DLP Scan Using ICAP When selected, the client request is forwarded to the integrated ICAP servers. The Secure SD-WAN Engine allows or blocks the file depending on the response it receives from the ICAP server.
File Size Limit(Optional) The maximum file size in megabytes (MB). The default value is 50 MB.
Action When File Exceeds Size Limit The action when the file is larger than the maximum file size.
  • Allow — The file is allowed.
  • Discard — The file is discarded.
Action When No ICAP Servers Are Available The action when none of the integrated ICAP servers are available, for example due to excessive load on the servers.
  • Allow — The file is allowed.
  • Discard — The file is discarded.

Logging - Select Rule Options dialog box (File Filtering rules)

Use this dialog box to define File Filtering rule logging options.

Option Definition
Override Log Settings for connection Overrides the logging settings defined in the Access rule in which file filtering is enabled.
Log Level Select one of these options:
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it at the moment), but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
    When the Log Server is unavailable, log entries are temporarily stored on the engine. When the engine runs out of space to store the log entries, it discards log data in the order of importance:
    • Monitoring data
    • Transient and Stored log entries
    • Essential log entries
    • Alert entries
    Note: The settings for storing the logs temporarily on the engine are defined in the log spooling policy.
  • Alert — Triggers the alert you add to the Alert field.
Alert Specifies that the Alert that is sent when the rule matches (the Default alert or a custom Alert element). Selecting different Alerts for different types of rules allows more fine-grained alert escalation policies.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.