Cisco Email Security Appliance (ESA) - Reporting

Similar Messages

• BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

  I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
  Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
  Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
  What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
  Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
  Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
  Paul

  Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
  And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
  Also, MD5 should be disabled as it's widely considered too weak for the job.
  My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• About CPU utilization value of ironport C370 email-security-appliance

  Hello all,
  What is the normal / abnormal value for the following parameters of ironport C370 email-security-appliance ?
  total active recipients
  active messages in work queue
  CPU utilization

  Each appliance would be a little different based on the expected mail processing, throughput for your environment/domains... and then throw in which processes you have turned up (IPAS, AV, VOF, etc.)...
  Typical C370 (running 8.0.1) should be able to handle:
  1. ~18 +/- recipients/sec
  2. average workqueue ~ 462 
  3. average CPU utilization of ~ 91%
  The #s vary, again, based on what you have enabled and licensed.  You would be well suited to open a dialog with your Sales Ops/Account team, as they have means to determine the proper numbers and outcomes for your environment.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• SunBlade 100 to Cisco PIX Security Appliance

  I have a problem connecting a SunBlade 100 workstation with Cisco Routers, and the PIX Security Appliance at the Console ports of both a Cisco router and the Cisco PIX Security Appliance. This should be out of the serial port of the SunBlade 100 workstation..
  I have tried to use the UNIX command tip hardwire. No luck connecting to the console port. I also tried to use the UNIX cu command again no response from the console port. I tried connecting a modem temporarily to the SunBlade 100 workstation and was successful in echoing a phone number to a modem. However, I need to use a direct connection from the SunBlade 100 workstation.
  Currently, Windows 2000 workstations are used with
  Hyperterminal to connect to routers and the PIX Security Appliance. I have 24 SunBlade workstations in my classroom and need to use them to connect to the console port on Cisco routers, and the PIX Security Appliance. I would appreciate any help anyone might be able to give on this subject.

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Clearing tcp sessions on the cisco acs secure appliance

  Hello,
  is there a possibility to view the number of tcp-session which are active on an acs secure appliance?
  Due to these hangups we have no connection to the appliance through web or console. So we are also interested in clearing the tcp-session instead of rebooting the appliance.
  Could somebody help us.
  thnx
  Torsten Waibel

  What is the acs software ver ?

• Content filter on Cisco Email Security Virtual Appliance

  Dear friend.
  I have problem with Content Filter when configure Cisco Security Virtual Appliance.
  You can see my rule on attachment picture.
  But when I sent an email with subject : "RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint", it's block by Content Filter "DenySubject"
  I'm sure that in my Dictionary doesn't contains any word from this Subject.
  Capture 3 is captured in Policy Quarantine.
  Please help me to solve it asap.
  Thanks so much.
  Vinh Phan

  It is not an issue with the virtual ESA.  Using my vESA, I get the same results, using your "denysubject.txt" for custom dictionary...
  Tue Jun 10 22:53:37 2014 Info: ICID 96 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
  Tue Jun 10 22:53:37 2014 Info: Start MID 58 ICID 96
  Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 From: <[email protected]>
  Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 RID 0 To: <[email protected]>
  Tue Jun 10 22:53:37 2014 Info: MID 58 Message-ID '<[email protected]>'
  Tue Jun 10 22:53:37 2014 Info: MID 58 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
  Tue Jun 10 22:53:37 2014 Info: MID 58 ready 7764 bytes from <[email protected]>
  Tue Jun 10 22:53:37 2014 Info: MID 58 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
  Tue Jun 10 22:53:37 2014 Info: MID 58 quarantined to "Policy" (content filter:DenySubject)
  Tue Jun 10 22:54:36 2014 Info: ICID 96 close
  Reviewing the contents --- one line is the culprit:
  [NuocVIET], 1
  Remove that one entry, and the dictionary works.
  Tue Jun 10 23:34:19 2014 Info: New SMTP ICID 117 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
  Tue Jun 10 23:34:19 2014 Info: ICID 117 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
  Tue Jun 10 23:34:19 2014 Info: Start MID 91 ICID 117
  Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 From: <[email protected]>
  Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 RID 0 To: <[email protected]>
  Tue Jun 10 23:34:19 2014 Info: MID 91 Message-ID '<[email protected]>'
  Tue Jun 10 23:34:19 2014 Info: MID 91 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
  Tue Jun 10 23:34:19 2014 Info: MID 91 ready 4505 bytes from <[email protected]>
  Tue Jun 10 23:34:19 2014 Info: MID 91 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
  Tue Jun 10 23:34:19 2014 Info: MID 91 queued for delivery
  Tue Jun 10 23:34:19 2014 Info: New SMTP DCID 39 interface 172.16.6.165 address 173.37.93.161 port 25
  Tue Jun 10 23:34:19 2014 Info: DCID 39 TLS success protocol TLSv1 cipher RC4-SHA 
  Tue Jun 10 23:34:20 2014 Info: Delivery start DCID 39 MID 91 to RID [0]
  Tue Jun 10 23:34:20 2014 Info: Message done DCID 39 MID 91 to RID [0] 
  Tue Jun 10 23:34:20 2014 Info: MID 91 RID [0] Response '2.0.0 s5B3YLna030140 Message accepted for delivery'
  Tue Jun 10 23:34:20 2014 Info: Message finished MID 91 done
  Tue Jun 10 23:34:25 2014 Info: DCID 39 close
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• 2 ironports email security appliance redundancy

  Hi,
  I have two IronPort ESA C160 devices and would like to cluster them for redundancy. My question is:
  When the devices are clustered, is there a cluster IP address (not an interface on either device) which is created which emails from Exchange can be routed to? Since only 1 of the 2 devices will be active at any given time, how can Exchange distingiush which Ironport device to route to?
  Any assistance would be greatly appriciated.
  Omar Badawi

  I see your IP is listed as 200.40.148.74
  Checking Senderbase, not seeing any issues relating back to your side:
  http://www.senderbase.org/lookup/?search_string=200.40.148.74
  Changes recently to DNS?  Hostnames resolve, reverse DNS?  Domains correct and resolvable?  SPF in use... any changes, is it correct?  DKIM, same - any changes, is it correct?
  Originating MX?  Any changes of late to local mail or ISP?
  Normally the 421 error is a temporary block due to issues seen coming from your address/originating IP.  Issue still persist?
  -Robert

• Ironport C170 Email Security Appliance - No Upgrades Available Error

  Hi All,
  I have a pair of IronPort ESA C170  with Async OS version 7.6.2-014. one of them displayed two versions that are available for upgrade:
  7.6.3 & 8.0.1; however , the other appliance displays "Error - no available upgrades". 
  So we tried to open the link : http://updates.ironport.com/fetch_manifest.html 
  updated the serial number information for the first one and it displayed the two versions ( 7.6.3 & 8.0.6 ) successfully and it didn't display anything when i put the serial number of the second appliance.
  The Problem clearly that we cant upgrade the second appliance.
  So Appreciate to share your experience on this.
  Thanks,

  You will need to open a support case so that we can get your serial number of the appliance, review to make sure it is in the correct upgrade provisioning group, and then also work with you direct to assure that you have the correct network settings to reach the updater servers.  
  You should be able to open a telnet session from the CLI on the appliance(s) to downloads.ironport.com on port 80, update-manifests.ironport.com on port 443...
  8.0.1 is the latest GA release - and will be the last available hop in upgrade paths.  So, if the appliance is on 8.0.1, then there will be no further upgrade availability currently for the appliance.  If you are needing to get to 8.5, which is FCS, you'll need to request provisioning through a support request.
  -Robert

• Cisco Web Security Appliance Slowness issue

  Hello,
  I have a slowness issue on an Existing WSA-S170-K9 appliance , when issuing the command Rate/proxystat it displays unresponsive sometimes screenshot attached.
  software version is 8.5, i was suspecting that this issue is related to access policies applied on end users ; so i created a test policy to bypass all checks and disable all malware/antivirus checks on users flows however, the same issue is still there.
  Appreciate any assisstance,
  Thanks,
  Muayad Jallad,

  Does this happen every time you run the rate command and at the beginning of the command's output rows?
  You may want to look at your proxylogs to see what activity is occurring while the proxy is unresponsive.

• Cisco Adaptive Security Appliance Software Version 8.2(4)

  Dear All
  I was configure IPSEC vpn on ASA5540 and i have problem with port blocked.  I am unable to block server ports to remote users.  See below configuration.   I need to configure vpn filter list can any one help me to configure vpn filter list. 
  access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
  group-policy portal internal
  group-policy portal attributes
  dns-server value 10.1.10.33 10.1.10.34
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value portal
  default-domain value abc.com
  split-dns value abc.com
  address-pools value vpnpool
  tunnel-group portal type remote-access
  tunnel-group portal general-attributes
  address-pool vpnpool
  authentication-server-group ACS
  default-group-policy portal
  tunnel-group portal ipsec-attributes
  pre-shared-key *&******
  I need to block this access-list and open only port 53 dns
  access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
  I write this access-list but it will not work and its open all ports.
  access-list portal extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0, but this access-list will not work and its open all ports like remote desktop, ftp, icmp, etc.
  any body can help me plz.
  anybody can help me how to used vpn filter list to block port or protocol based.

  Hi,
  You can have the split tunnel ACL named as portal and configured as below:
  access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
  access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
  You can configure a vpn-filter ACL like below:
  access-list VPNF extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0
  and then apply this VPNF access-list under the group-policy "portal" using the command vpn-filter value VPNF. Let me know if this helps.
  Regards,
  Prapanch

• Cisco Ironport Email Security inline with Microsoft Forefont

  Hi,
  We are going to deploy Cisco C370 Email security appliance as new email relay in our DMZ. Currently Microsoft Forefont is already doing the same functionality and new Ironport email security appliance will be added as 1st layer of email security. 
  I would like to know what are the changes that we should consider in this deployment in order to forward mail to Forefont, is there any specific configuration on both products and what is the best method of deployment etc.
  Also I would appreciate if there is any Cisco/Microsoft documentation available for such deployment senario.
  thanks in advance.

  Hello pemasirid,
  as far as I can see from your description is that you add the ESA C370 as an additional gateway, so I would say there is little you need to change in your current network design. As this is all about SMTP getting forwarded, you basically just need to take care of the following things:
  On Forefront: Allow injections from the ESA(s) and forward all outbound messages to the ESA
  On the ESA(s): Insert the Forefront IPs into the RELAYLIST of the private listener to allow outbound messages. Also set up an SMTP route to forward inbound messages to the Forefront server.
  Also change public DNS to point to the public IPs of the ESAs, in case they are different from what you have used before
  A good starting point for deploying would be the Quickstart Guide for C370, that you can find in the support section for email security on Cisco.com. Also, the user guide, which is also available on the GUI of every email appliance (GUI: Help and Support -> Online Help).
  Hope that helps,
  Andreas

• Email security and AMP ( Sourcefire ) integration

  Hi,
  According to public release from cisco :
  http://newsroom.cisco.com/release/1354516/Cisco-Adds-Advanced-Malware-Protection-to-Web-and-Email-Security-Appliances-and-Cloud-Web-Security?utm_medium=rss
  There is now integration of AMP into the email and web appliance. I cannot find any information regarding versions or licenses needed to take advantage of this functionality. If customer is sitting on a Sophos license today for example, will AMP be an addon or replacement of this license ?
  Any info is appreciated.

  Hi Daniel,
  We announced the software integration at RSA last week. It will be available as a feature in the next 2 to 4 weeks as FCS code (First Customer Ship.) It will be a separate software license for the cloud inspection and a separate license for the cloud sandboxing. It will not be included in any existing licenses. This is the upcoming 8.5.5 version of AsyncOS.
  In the mail pipeline it will come after Anti-Spam and Anti-Virus engines and before Content Filters and Outbreak Filters. You will be able to do Content Filter inspections and actions based on AMP results.
  Also at RSA we announced the integration of Web Categorization and Web Reputation technology from the WSA into the ESA. This will be included as part of the Outbreak Filters license. Web Reputation is embedded into the anti-spam engine and Outbreak Filters. Web Categorization is available as a condition and as an action in Content Filters. You can do actions such as defang, re-write to Proxy, or replace URL with text or any other Content Filter action such as drop or quarantine messages with Adult or Pornographic category URLs. This is the 8.5.0 version of AsyncOS and is available today as FCS code.
  Please work with Cisco TAC to have your devices provisioned for 8.5.0 FCS code if you wish to test.
  Thanks,
  Raymond Jett
  Technical Marketing Engineer
  Email Security Products

• Email Security Plug-in - Doesn't seem to work with right click or save and send

  I've searched the knowledge base but have not located the answer yet.
  We have the Encrypt Message plug-in installed to flag the email [SEND SECURE].  This works very well when in Outlook.  It does not seem to work when right clicking a file to send outside of Outlook or performing Save and Send from within Microsoft Office.  The add-in still shows and users are clicking it and the Send button but the emails are not going securely.  We are on Microsoft2010 on mostly XP machines.
  How can I get Encrypt Message to work in all instances?
  Thank you.
  Starla

  Andreas
  I am getting an error.  See below for what I'm choosing and the response.  let me know if I'm supposed to be trying to download from another area.
  Thanks
  Starla
  Email Security Plug-in - Doesn't seem to work with right click or save and send
  Cisco IronPort Email Security Appliance C370
  Release:IPAS
  Filename: CiscoEmailSecurity_7-2-0-039.exe
    Remove
  Details
  Release
  IPAS
  Filename
  CiscoEmailSecurity_7-2-0-039.exe
  Release Date
  25/Oct/2011
  Description
  Cisco IronPort Email Security Plug-in (Outlook)
  Size
  32541.84375 KB (33322848 bytes)
  Router Checksum
  0x553f
  MD5
  f0c864697d9e1a3e8f5297062943ac50
  Email Security Plug-in - Doesn't seem to work with right click or save and send
  Save the device to 'My Added Devices' list
  More Info
  'My Added Devices' list could be found by: 1. Clicking on 'My Cisco' Tab and expanding
      the 'Added Devices' section. 2. Selecting any task specific product
     selector and clicking on 'My Added
      Devices' in left pane.
  Email Security Plug-in - Doesn't seem to work with right click or save and send
  Set Cisco Notification Alert
  More Info
  All 'Cisco Notification Alerts' list could be found
  by: 1. Clicking on 'My Cisco' Tab and expanding
      the 'Support Notifications' section.
  Cisco service contract information indicates you are not authorized to download software for the following product(s):
  Cisco IronPort Email Security Appliance C170
  Cisco IronPort Email Security Appliance C370
  Cisco IronPort Email Security Appliance C650
  To download software for other product(s), remove the software for the product(s) listed above.
  Or, if you feel this message is in error, please:
  1. Email technical support for 24x7 assistance. To expedite your request, please include the following information:
           User ID (Cisco.com ID used to download software)
           Contact Name
           Company Name
           Contract Number
           Product ID
           Desired Software Release or File Name
  2. Contact your Cisco Representative, Partner or Reseller to ensure product(s) listed above are covered on a service contract. The Partner Locator link may assist in locating your nearest partner.
  3. Associate contracts for those products to your Cisco.com profile using the Instructions found in Profile Manager. After you submit your additional contracts, verification and updates may take up to 6 hours to complete.

• Encryption is now part of the Email Security forum

  With the release of AsyncOS 5.5.0 for Email, the encryption feature is integrated into the Email Security Appliance. We've integrated the Encryption forum into the Email Security forum to reflect this change.

  Setting up encryption to be applied to outbound email that gets relayed through the Ironport appliance is quick and straight-forward. In a matter of minutes, you can get this feature up and running. Contact Ironport technical support if you have any questions or comments on how to use the encryption feature.
  With the release of AsyncOS 5.5.0 for Email, the encryption feature is integrated into the Email Security Appliance. We've integrated the Encryption forum into the Email Security forum to reflect this change.