Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 12

49. Lecture-49:Configure and Verify Malware and File Policy Lab.

In this section we gonna do labor file policy and malware policy. OK? Which is all together. So we are using the same lab. I have an external server which is windows seven. This is the windows seven. And this windows seven is an external server. I have FTP server which is running. Let me start it. I have created some user and I have a directory where I put something directory FTP with C drives. If somebody tried to visit me. So they will see this directory which is FTP and FTP I put some PDF file, wireless file, some text file, some setup and XD file. Okay, so this is my external FTP server maybe somewhere in the internet. Okay. Another thing, I have Zam server installed. You can easily install this one. Whereas my Zem server is a web server. So I’m using this one zam server. And let me start Zam server as well. So I have FTP server installed and I have a web server installed. Let me start web server as well which is running on 80 port and also and my IP address is IP config which is 250. So this is external server somewhere in the Internet with 250. And this is my internal system with one three. So this is window ten, this one one three. Okay, so I will use these two system in this lab most of the time. So this one is one three system and gateway is 254. In this case their gateway is one one 4254. So this the lab setup. Inside we have 1254 external one one 4254.

There is a default route going to 1141. Management is 100, 200 management for FMC 100, 210 internal subnet we have 192-1681 and external we have 109, 21681, 114. There is excess policy, there is a net policy by default configure and everything is ready. Now we need to implement file and malware policy so that nobody can access and go out and download any malicious either any file which is unwanted to their system. Like right now if I go and access this server, I can download everything. So if I go to this FTP server, if I click here my from internal to access this server which is externally somewhere in the internet. If I say FTP 1921-681-1425 and enter so this FTP server will open and it’s open. And from here I can download PDF file. Let’s see I can or not. So it should be and so it’s download. By the way, it will take some time. So there is no restriction. It means I can go to any internet website and I can download PDF file without any restriction. Let me download a text file. Can I download text file from any FTP either http website? So let’s see why it’s taking time. It is a small file, just only PDF. But for some reason it’s taking time. So let them take it means I can. There is a wireless file. I can download this one as well. It will not stop me. There is XD file, it will download.

Nobody can stop because we don’t have any file control and neither we have a malware control. So it’s download. Okay. It’s for some reason take time. Let’s see again if I say okay let me ping. I can ping the server 192-168-1142 05:00 a. m. Breachable or not. First we need to check. Okay there is some stoneness I think. So it has to work. Let me ping some other thing that I am reachable outside or not. Okay. So yeah there is slowness in this server. So sometimes it’s dropping. That’s why I was checking the lab before. Some time is coming issue in my lab. But anyway it will be download. So now let’s go to implement the policy to control this one. Okay. And this one is running. We can test from here. By the way, let me see. Maybe this one is okay. So if I go to this server and let’s see first check out that I am reachable or not being 100 and 921-681-1425. Yeah so this one is okay. Something is wrong with that window. So let me download. So where I can go to anything and type here. Where to type? There is a place to Linux space. So I just need to type them. I can use browser as well by the way. So let me set that web server and before applying any policy just want to show you. Okay. Also we have a web server as well. So I can download from there as well. So FTP 192 sorry FTP 192 168 1114 which is a FTP server somewhere in the internet. And let’s see. So I can download this. So I’m going to download another is the text file. So I can download text file as well without any restriction. It’s a firewall and they are not stopping me. And there is an exe file. Can I download this one as well? There is an exe file. So let me try here and save the file. So you see setup is also going to download. This one is done. FTP is almost to done. An XD file will take some time to download. So it means everything is allowed. And there is by the way wireless file. Let me download virus as well. That can somebody will stop me or not. So let’s see. Let me show you this. The virus by the way.

So you see nobody stopped me and it’s download. So it’s done that there is no restriction. Now let’s apply the restriction. So what I need first I need to go to policy and there is malware and file policy. We just created one. If it is not just say new file policy. Added this policy name there is nothing just say add rule and which protocol. I say any which direction. I say any which file. So I say all file. Because we just want to test. So I will choose all file done. And I will say aid all category. First thing which thing to check first we will do test one by one. Block with reset detect block malware and malware cloud. Lookup we will do one by one. So the first one is block file with reset connection. Okay. So that’s the first thing we will do and test. And then I will change this action. So let’s do first there’s one block file and save. Which file all file. Because I am doing testing and save. So my policy is ready. Just save. But as we say that every policy beside this excess control policy. You need to integrate them to access control policy. So let’s go and attach this malware and file policy same like a normal. So I am in excess control policy. Let’s edit the main policy. But where they help to attach. Because last time we attach prefilter here SSL here identity should be here. So there is no place to attach this file policy.

There is with every allowed rule. You need to add every allowed rule. And go to inspection. And here is file policy. So what is our file policy name? Malware and file policy attach. And it should allows it to be enabled. So it’s already enable and save. So whenever the traffic is allowed. So the last at the end they will check with file policy. So we enable file policy. They check them. It is allowed or not. The file is allowed or not. And save. Okay and now deploy this one. Sorry deploy and deploy. So until it’s deploy. Let’s go to slide and see. So the first thing we’re going to check block with reset block but reset the connection. So what we done we create a policy. And we choose block with reset connection any and we choose all the file. Okay we add them. And that’s the other one. We just need to test them. Then we went to access control policy. Go to inspection tab with all allowed rule we will add file policy. Okay the file policy is add here. And then we deploy. Now we deploy for testing. Because I block all file. So if from FTP server I try to download this file. It can be a wireless file. It can be maybe there may be no virus still it will not download neither. I can upload those file either through Http either through FTP. And it will say file block. Because I take this. Action.

So let’s do now a student process. But let me make ready the system. Okay I think so this one is start working. So let’s see start working. Because in window we can see more visible. So it’s not working. I’ll deliver it. We will use Linux is okay. So in Linux system where is we will use this to download. And also we have Http server http so we can test from both. And one one four to 50. So we have Zim server installed in this window, it’s running here and I believe I keep some file there as well. Let me see if I go to Zem server and they have Http directory where we keep our website. This one Htdog and yes, there is seven XV and seven PDF. These two file. So let’s try this one as well. So let them open. Okay. And also through FTP and also through Http. Yeah, it’s come up. And here you can type seven dot PDF. It will download. I keep this file there, I think. So it’s there. So let me see. It was seven or something. It is same server and it should be whereas Htdog let me rename it’s. Okay. There is no space here save one PDF. It’s correct. Okay no, I need to choose this one like this way yeah it’s opening by the way but it’s open yeah the connection is reset. Maybe the policies apply now so we cannot do anything now anyway so let’s try them now. So the policy is implemented and now by Http let’s try to download this file and see they’re going to download or not. And also from here let’s download which one there is a PDF here so let’s download this one and see it’s going to download or not because now we have a file policy here and let’s see and we block our file by the way why it’s open? Because we have history sony need to go like this way. Previously it was open. So one s one time is open. So let’s try this way. By the way, it has to give error for some reason. And there is exe file as well. And download. It has to give error. So let’s see. It will say that no with PDF. Yeah, because that was open. Sorry. And this one is fail because we say upload and download. So not view. And now let’s see from here as well. So if I try to download this one through FTP it will not work. So now we cannot download and if you want to put it will a give error by the way don’t worry they say fail and if you have a file and you want to upload here it will also not work. So if I go to this folder and let’s upload the file as well to this FTP server because I give permission full read upload and download, it will not work by any means.

Okay so it’s not going to open so that I can try to upload, it will not work. Let’s verify for verification we need three things events because this policy is combinedly working. So now what thing I’m taking right now so this 1 second thing I need to check here is file malware events let me open this one is new tab and third thing file events three things events it will show everything malware and file events. So let me open in file events separately so here it has to be block. Here it’s mentioned that the file is blocked going to 192, 60 or 250 and file block because we say block it. So in events it’s okay because even showing you everything if you want to search for, let me more specific, let me search and apply only my IP, the IP of the system so what is my system IP? This one I think so this IP is one one so let me search by initiator IP 192, 168 one one okay and let me search only this one so it will show you only this traffic and let’s see so file is block here is done what about the second thing? I know this was events but what about the what is called file policy? So let me refresh that anything is there malware?

This is Malware no and Malware nothing is there and also the third one is the file so in file there is a record because right now I’m using a file policy the policy work together I don’t know how to explain you since first slide. I’m telling you that there are two type of thing which they are combined and three places to verify and events. It will show you everything. Malware. I say there is no malware because the policy we are using is not related to Malware. It’s related to file control. I don’t want any file. So when I come to analysis and file events and file, they say that somebody tried three times to upload or download PDF file but no disposition because it’s not related to malware. And they try XD file to download because I try these two clear. So I’m doing file control now. Let’s go back and apply the second rule now. So go to policy and malware and file policy. Okay. And this time let me edit and let me edit this one. And this time I would say, what is the second step? I need to check so blocking is okay the second thing we need to verify is deduct yeah so the second thing list apply detect, same file, same everything but

I change the action and save this time I want to detect and save and deploy you get my point? One by one. We are testing every rule that what will be the result. And the result will be checked in three places. And those three places are events, connection events, file events and Malware events. So the first one was blocked. So record was in File events and record was in connection events. But there was no record in Malware. Now I said detect. So detect is also related to file policy. So again in every record will be in connection events. The card will be in file events but new record will be in Malware. Okay. This is what I want to explain. So let’s go to the second one until it’s apply. So this time I say deduct. So in events there will be file monitor because detect means don’t stop them but show the record and logs and file events there will be file events that yes, somebody tried to download XD file and let me count them and let me detect, but I cannot stop them. And when we go to detect but in Malware there will be no record for deduct because in deduct file we don’t care malware don’t care, malware only related to malware stuff. So let’s verify these three things. So still there. Okay. Okay. So keep in mind when I try to download before so it gave me error. This time it will be download. Keep in mind that’s the difference between deduct. Okay? So I will try this one and from here we will try something. So we are just waiting. So when the policy is pushed then we will see that what detect can do and then we will verify from three different events connection events, file events and malware events. When it’s done, then we will go to the third option. So let’s see for a while it’s almost 75% done.

Okay, so this is the way to control your network traffic, file control and malware control. So they are doing two things by the way, in my lab I block all type of file but in your case it can be normally exe file which we want, we don’t want so that somebody can download XD file. Okay so you can create a separate policy for XD file and you can put restriction on upload and you can put restriction on download as well. Right now we say any means either upload or download. So it’s done now let’s do it. It will be download. Okay and let’s see it’s going to download and if I say exe file, it will also be download. Okay? Yeah and sorry, by mistake I cancel it because I need a record here and also from web point of view if you want so it’s also be download. You can see it’s going to download. Okay PDF as well and XD file XD file through FTP and XD file through http both it’s going to allow them because we said detect. So let’s go to traffic first and access control policy. Sorry analysis connection events and see from here. So you see file monitor it’s allowed but only file monitor.

Let’s go to which one is this one? This is malware. There will be still nothing, no record and let’s go to the last one which is file policy and malware is nothing. Let’s go to file policy. I’m in file policy. This one is selected here, it will be more count now and rather than block it will say deduct. Let’s refresh this one. Yeah you can see three times deduct MSX, executable file and detect PDF file but still no disposition. This file has not yet been recognized. Okay, so two things are clear to you. And here is file monitor. Just monitoring. Now let’s go back to malware and file analysis and see the other two action and then we will verify again. So let me go there and this time delete file. Let me change the action to block Marvel okay. And block malware and save and save and deploy a change action. Okay, everything is similar, just change and it’s already integrated to access control policy you just need to deploy. So now what will happen in this case? Let’s go to okay, I done. Malware cloud lookup first but it’s okay. And the last one is let’s go to the last one. Okay, I did not mention that one maybe. So this is malware cloud lookup. Okay. And let’s see detect file block. Okay, so I did not mention that one but it’s okay. It will only show you the malware file only. Okay. It will take action only on malware. In this case we have a malware file only. This one. Where is this one? This is the malware file. Others are okay, they are clean file. So if I try to download all these, it will work. But if I try to this one this malware file so it will give me an error and this will block the action. It will not allowed me to download this malware file. And let me copy this malware file through Http as well.

So I’m here and let’s go to FTP and download the copy the file this exe this one. And let me copy this one to Http directory as well. So we can test from Http side as well. Here is and let me change the name to make them something easy. Maybe seven dot zip. So seven PDF, seven XZ and seven zip. The seven zip is basically a wireless. Okay so I copy here as well. So it’s in FTP directory as well. And also it’s in Http directory as well. And this window system is FTP server and Http and Https server. You can make Http and Https server so easily using XLight, FTP and Zem server. Okay, so easy. Either you can find out any website to download directly through internet if you want to do your test, but it’s better to use this one. Okay. This is such a way. Okay so let’s see, we are waiting to deploy and then we’re going to test. This time my action is malware. Okay. And before apply let’s go to events. Okay. So make ready this window. Okay. And the other window is this one. And this is the file window. And let’s see now it will take some time to push this update to FTD from FMC. Okay. And then we’re going to test which action they will take and where to find the logs. So it’s done.

And now let’s go back to our client side and try to download PDF, either text file or whatever. So it has to be download there will be no restriction is done. And if I download PDF. Okay. Sorry. Yeah. So PDF has to be downloaded as well without any restriction. Let’s see, it’s going to download or not. And Xg will also download. Okay. And the thing which will not be download and will be restricted this virus which I download from Internet. Okay. And I just keep in the directory. Okay, so it’s download. So PDF is also okay. And let’s download this wireless. You see the connection was reset. They said no, that you can download other things like a setup, exe it’s okay, I don’t care. You can download any other thing. So it’s also okay, you can download PDF, you can download text file, you can do whatever you want, but don’t download a viruses. And the same thing. I will check from here. It was seven zip wireless. And let’s see, can I download or not through Http? So let’s see that through. FTP is not possible and until it’s download, let’s go to analysis and see the events and also refresh this one. This time you will see something here. And also let’s go to file. And also you will see some disposition as well here. So let’s see. You see now that somebody try save one zip because that has been reset, I believe. Yeah, this one I’m trying save one zip. And from here the file name is EICR, whatever. Okay. So they say that somebody try and this the hash which I was talking, they send the hash to MP and they say no, this is a virus. It’s a zip format three times some time.

Try this one and one time this one. And this is the virus introduction name. So this time in Malware. Here in Malware events we can see something. And here you will see also something here. Let me refresh and even and let’s go to file. And file there will be now you see, there is disposition now, meaning the position of the file. What is this file related? So we discussed there should be unknown then can be a malware and so on. We discuss some other as well. So now they are asking that somebody try one and six time zip file. That means that is still trying this one. Yeah. So it’s still trying this way. It’s showing us again and again it’s increasing this one. Okay. And this the action the action was Malware block because we take action up block and in events it’s also say file block. It has to be another action. But anyway, it’s coming under file block reason. Okay. And file block we test them and Malware is showing us the Malware record. Let’s go the last one, the last action to take is the cloud. Lookup. So let’s go to Malware and file and let’s test the last option which we can take block with Malwareia and reset action. And if we run wireshark it will be reset. Okay? And this is malware cloud lookup, you remember what I say and theoretically what do you think what action they will take? Do you think I can download the malware? Yes okay so let me stop this one how can I stop? Because they are trying again and again. Now I change the action. So the action, malware action, say. Now I’m using this action malware cloud. Lookup, this rule obtained. It will generate logs, but it will still allow the traffic. It means I will download that wireless file which I put there, but it will just generate logs in the Malware section here. Where is the Malware section? This one now how many? Let me refresh.

It says three N one it will be increased. By the way, is five one. If the last one is up to date is five one it will increase this one. But the file will be download because I say just check in the cloud that this file is infected. Just generate log wear, generate logs and analysis and malware events so that we know who download what thing and it was infected and he tried to download them and let them download. You get my point? But in file it will be also something here but it will be download and here in the logs also it will generate logs and connection events as well. So let me put this window events window okay, right now it’s file block only. Okay it will be here and let’s see if it is done then we can test the last option related to malware and file policy. So URL if we can see this policy can be used for two different purpose. The first two option, one of them is detect and the other is block and the last two is cloud detect and cloud block.

Cloud block you can say either malware block and malware generate logs so altogether four option were there, two were for only logs generation and two for blocking purpose but altogether two for file control and two for malware control and where we can find the log. So you need to go to analysis connection events, malware events and file events. Okay, so these are the thing which we were testing in this slave so let’s see the last thing definitely I will download that file without any restriction but it will generate logs that somebody download virus infected file. Okay, so let’s see the last option. Yeah, it’s done and now let’s go to my client PC and try to download I know these all will be downloaded without any restriction, even this won’t be. So let’s see, can I download this one? And also can I download through http So yes it’s download one time and also let me download from here as well sorry seven dot zip not save one seven zip is basically the virus done and now let’s verify from analysis events and refresh this one to see there will be cloud lookup okay. So again, s file monitor is coming under file monitor here in events. But here you will see five N, one, it will be increased. Let’s see six two. It was five one. And now it’s six two because I tried this one and this one will also increase.

And here it will show you the detail as well. It will be malware cloud lookup. You see another malware cloud lookup game now. So say that we check in the cloud, not for the other one, they check only once. It has to be six years. Okay. It has to be two years. Okay. So two times they say we check if you want to increase. Let’s try again, seven zip again. Okay. And try from here as well. Okay. So malware cloud is basically two. And this one is three. So let’s see, it will be increased. And here it was six two. Yeah. So it will increase more. Yeah, 7362. Now it’s 73. And now let’s go to the last one which I was talking about, this one. So let’s see, malware cloud is now four. So it’s proof that it’s working and it’s downloading, but just detecting. And if you check here, it will be file monitor. So it means this file monitor is in malware section as well. And file monitor is in file section as well. Here is showing you like a file file monitor. It can be a malware file monitor. It can be a file monitor. Both they are showing the reason. This one they said, I believe this done, this was a malware and file policy.

• Category: Uncategorized