File Policy Best Practices

Note the following general guidelines and limitations when configuring file policies.

  • You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or Interactive Block with reset.

  • You cannot use a file policy to inspect traffic handled by the access control default action.

  • For a new policy, the web interface indicates that the policy is not in use. If you are editing an in-use file policy, the web interface tells you how many access control policies use the file policy. In either case, you can click the text to jump to the Access Control Policies page.

  • For file blocking to work, the NAP policy you apply to the access control policy must be operating in Protection mode, also known as Inline mode.

  • Based on your configuration, you can either inspect a file the first time the system detects it, and wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result.

  • By default, file inspection of encrypted payloads is disabled. This helps reduce false positives and improve performance when an encrypted connection matches an access control rule that has file inspection configured.

    Attention

    The File Inpsect preprocessor with the following generator IDs (GIDs) are enabled by default for file/malware policy: GID: 146 and GID: 147.

  • If you enable an access control policy with a file policy that uses either a Malware action or a Store Files option, the computing power and system performance of the device is reduced.