Content filter on Cisco Email Security Virtual Appliance

Similar Messages

• Cisco Web Security Virtual Appliance Demo license?

  Is there a demo license available to test Cisco Web Security Virtual Appliance?
  Regards.

  Thank you so much Kasper! You are an angel fallen from heaven!
  Just 1 question, when I am ready to get the License appears the next information, do you know if the number 1 in the Qty column means 1 demo for just 1 user? Or do you know if I can get 1 demo for many users?
  Regards!
  NA
  SKU Name
  Qty
  Ordered
  Available
  Quantity Added
  -->License Start Date:
  License End Date:
  1
  WSA-WSP-45D 
  1-->
  1
  -->1
  03/13/2014
  04/27/2014

• Cisco Email Security Appliance (ESA) - Reporting

  In previous versions on ESA you could export data and reports in CSV formats using an API. Is that still available?
  >From the following document :
  IRONPORT ASYNCOS 6.4 REPORTING API FOR IRONPORT APPLIANCES
  REPORTING API OVERVIEW
  The Reporting API feature allows you to download the same data collected by the Email Security Monitor component of the IronPort Email Security appliance or Security Management appliance in a comma separated value (CSV) format. This format allows users to integrate the IronPort appliance's data gathering capabilities into other IT and business reporting systems. 
  DOWNLOADING REPORTING DATA
  You can retrieve the data used to build the charts and graphs in the Email Security Monitor feature via HTTP. This is useful if you plan to perform further analysis on the data via other tools. The data is available in standard comma separated value (CSV) format. The easiest way to get the HTTP query you will need is to configure one of the Email Security Monitor pages to display the type of data you want. You can then simply click the Export... link to initiate the download process.

  It went away, there's a new one (RESTful) in 9.0/9.1
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-0/ESA_API_1-0_Getting_Started_Guide.pdf

• BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

  I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
  Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
  Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
  What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
  Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
  Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
  Paul

  Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
  And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
  Also, MD5 should be disabled as it's widely considered too weak for the job.
  My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

• Demo License key issue in Cisco Content Secuirty managment Virtual appliance

  Hi,
  I have installed a Cisco content security management appliance for customer evaluation. I have downloaded 45 day demo license key but unable to update the license key neither in GUI nor in CLI. I have referred installation guide and user guide but did not helped at all.
  Snapshot from GUI

  Would suggest to re-copy and paste the XML license - as most likely you have extra white space that is causing the malform when pasting/loading.  If using Windows, try avoid using wordpad --- and use Notepad++ or similar.
  http://www.cisco.com/c/en/us/support/docs/security/email-security-virtual-appliance/118301-technote-esa-00.html
  -Robert

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Cisco Ironport Email Security inline with Microsoft Forefont

  Hi,
  We are going to deploy Cisco C370 Email security appliance as new email relay in our DMZ. Currently Microsoft Forefont is already doing the same functionality and new Ironport email security appliance will be added as 1st layer of email security. 
  I would like to know what are the changes that we should consider in this deployment in order to forward mail to Forefont, is there any specific configuration on both products and what is the best method of deployment etc.
  Also I would appreciate if there is any Cisco/Microsoft documentation available for such deployment senario.
  thanks in advance.

  Hello pemasirid,
  as far as I can see from your description is that you add the ESA C370 as an additional gateway, so I would say there is little you need to change in your current network design. As this is all about SMTP getting forwarded, you basically just need to take care of the following things:
  On Forefront: Allow injections from the ESA(s) and forward all outbound messages to the ESA
  On the ESA(s): Insert the Forefront IPs into the RELAYLIST of the private listener to allow outbound messages. Also set up an SMTP route to forward inbound messages to the Forefront server.
  Also change public DNS to point to the public IPs of the ESAs, in case they are different from what you have used before
  A good starting point for deploying would be the Quickstart Guide for C370, that you can find in the support section for email security on Cisco.com. Also, the user guide, which is also available on the GUI of every email appliance (GUI: Help and Support -> Online Help).
  Hope that helps,
  Andreas

• Should the Cisco Content Engines be used as a proxy appliance

  Should the Cisco Content Engine be use as a proxy appliance like a Blue Coat appliance, Squid cache engine, ISA server, etc...
  I am pretty sure it is but just need some feedback on past experiences. Customer would like to by a Cisco product for Web filtering/proxy.
  or is it strictly used to help with web base applications.

  HI,
  the CE is basically able to check every request it supports. If you are using 3rd level products like smartfilter, websense or webwasher you can use the features of those products to supress/forbid certain requests(i.e MSN etc.)
  Kind Regards,
  Joerg

• About CPU utilization value of ironport C370 email-security-appliance

  Hello all,
  What is the normal / abnormal value for the following parameters of ironport C370 email-security-appliance ?
  total active recipients
  active messages in work queue
  CPU utilization

  Each appliance would be a little different based on the expected mail processing, throughput for your environment/domains... and then throw in which processes you have turned up (IPAS, AV, VOF, etc.)...
  Typical C370 (running 8.0.1) should be able to handle:
  1. ~18 +/- recipients/sec
  2. average workqueue ~ 462 
  3. average CPU utilization of ~ 91%
  The #s vary, again, based on what you have enabled and licensed.  You would be well suited to open a dialog with your Sales Ops/Account team, as they have means to determine the proper numbers and outcomes for your environment.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• SunBlade 100 to Cisco PIX Security Appliance

  I have a problem connecting a SunBlade 100 workstation with Cisco Routers, and the PIX Security Appliance at the Console ports of both a Cisco router and the Cisco PIX Security Appliance. This should be out of the serial port of the SunBlade 100 workstation..
  I have tried to use the UNIX command tip hardwire. No luck connecting to the console port. I also tried to use the UNIX cu command again no response from the console port. I tried connecting a modem temporarily to the SunBlade 100 workstation and was successful in echoing a phone number to a modem. However, I need to use a direct connection from the SunBlade 100 workstation.
  Currently, Windows 2000 workstations are used with
  Hyperterminal to connect to routers and the PIX Security Appliance. I have 24 SunBlade workstations in my classroom and need to use them to connect to the console port on Cisco routers, and the PIX Security Appliance. I would appreciate any help anyone might be able to give on this subject.

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Restricting email recipient domain with content filter

  Gents,
  I am looking to restrict email receipient domain to two with the help of content filter instead of using RAT table.
  Please help me out.

  I understand that you want mail to be rejected for all but 2 Recipient users/domains.  You also want to declare the users/domains via a Filter instead of in the RAT.  This is not recommended, here is why:
  - If you set the RAT to  'All Other Recipients' to 'Accept', other hosts may believe the ESA is an 'Open Relay' and may refuse mail from its IP.
  - Bouncing mail after acceptance can cause 'backscatter' emails.  This is where a mail server redistributes spam via bounces and it will cause some hosts to reject your mail.
  - If done incorrectly, can cause valid mail to bounce.
  - If done incorrectly, can make your ESA an Open Relay that can be abused by others.
  If you still wish to proceed knowing that the above risks, here are the high-level steps:
  1) Set 'All Other Recipients' to 'Accept' in RAT
  2) Create a new Incoming Mail Policy
   - Add the valid users and/or domains to this new Policy
  3) Create new Incoming Content Filter:
   - Rule: leave empty
   - Action: Bounce
  4) Disable all scanning on Default Incoming Mail Policy
  5) Apply the new Filter to the Default Incoming Mail Policy
  6) Verify that the new Incoming Mail Policy has appropriate scanning enabled
  This method works by accepting all mail sent to the ESA, even if it is for a domain you do not control or for an invalid recipient for a domain you do control.  When the messages reach the Incoming Mail Policies, valid recipients will match on the new Policy while every other address matches the Default Incoming Mail Policy.  Using the Policies in this way is required so that the message is 'splintered' before processing through most scanning features.  Now only users/domain that do not match your new Policy will be Bounced by the Content Filter.
  Again, I wish to stress that I do _not_ recommend this approach: it is far safer to simply list the valid users or domains directly in the RAT.
  - Jackie

• Warning System spameater Unable to connect to Cisco Web Security Service.; URL Filter...

  My C670 ESA's have been throwing these alerts intermittently for the past few days, anyone else seeing them?
  The Warning message is:
  Unable to connect to Cisco Web Security Service.
  URL Filtering will not work correctly.
  Please verify all network, proxy and firewall settings.
  Connection to "v2.sds.cisco.com" failed.
  The last error seen on this connection: "Request failed with code: 28 (Connection time-out)"
  Version: 8.5.6-092
  Looks like it is open on port 443 and currently up.  Hitting it with a browser gives me:
  https://v2.sds.cisco.com/
  After an error or two they go away and appear OK.   
  Checking the logs I don't see a way to verify URL lookups are working, is there a way?
  Also, I setup URL filtering six months ago and had it set to only trigger on (-10)-(-9.5) and saw about an 80% false positive.  It has improved over the past six months drastically but still catching mostly advertising URLs and allowing all phishing URLs right through.  I've yet to see it block a phishing URL.
  Jason

  After lots of trial and error, I was able to eliminate this problem.  What I wound up doing is defining the XE service again in the listener.ora file:
  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (SID_NAME = XE)
        (ORACLE_HOME = C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server)
  I know that typically you should not have to do this, especially since I already had defined DEFAULT_SERIVCE_LISTENER = (XE) at the bottom of the listener.ora file.  Explicitly defining the XE service in the listener.ora file allows the listener to find it while the system is running under the Cisco AnyConnect VPN.  The only hiccup I found by doing this is that the XE service is discovered twice by the listener when the system is NOT running under the Cisco AnyConnect VPN.  It still works OK.  The listener just seems to ignore the repeated definition of the XE service (see output below):
  C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server\bin>lsnrctl service
  LSNRCTL for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-JUN-2013 10:03:15
  .......(omitted output).......
  Service "XE" has 2 instance(s).
    Instance "XE", status UNKNOWN, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0
           LOCAL SERVER
    Instance "xe", status READY, has 1 handler(s) for this service...
      Handler(s):
        "DEDICATED" established:0 refused:0 state:ready
           LOCAL SERVER
  Service "XEXDB" has 1 instance(s).
    Instance "xe", status READY, has 1 handler(s) for this service...
      Handler(s):
        "D000" established:0 refused:0 current:0 max:1022 state:ready
           DISPATCHER <machine: DEV-M-137GF, pid: 5544>
  (ADDRESS=(PROTOCOL=tcp)(HOST=DEV-M-137GF.paychex.com)(PORT=58257))
  The command completed successfully
  If anyone has a cleaner solution for this problem, please let me know.  Otherwise, I am moving forward with what I did.
  Thanks.....Paul

• Cisco ISE Virtual Appliance HyperV Support

  Hi,
  ISE Virtual Appliance Supports VMWare ESXi as Hypervisor. Is there any Plan on the roadmap that ISE will be supported on HyperV (or possibly XEN) in the future, because some customers don't have VMWare but using only HyperV.
  The same question may be for other Virtual Appliances as well such as vWAAS, vASA etc.
  Best Regards,

  David,
  There is currently no documentation on this process.  This is not a supported installation/upgrade/migration path so, therefore, any documentation would be third party, prepared by the partner or end user that has done this.
  If you're starting from a VM, you have the wrong approach.  You'll want to install from .iso for best results.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Securing a VNMC virtual appliance

                     Is it possible to configure the VNMC Virtual appliance to restrict incoming traffic? For example allow incoming connections on port 443 from a specified collection of IPs. 

  this is ofcourse done through VSG and/or CSR/ASA1000v etc ...

• Email security and AMP ( Sourcefire ) integration

  Hi,
  According to public release from cisco :
  http://newsroom.cisco.com/release/1354516/Cisco-Adds-Advanced-Malware-Protection-to-Web-and-Email-Security-Appliances-and-Cloud-Web-Security?utm_medium=rss
  There is now integration of AMP into the email and web appliance. I cannot find any information regarding versions or licenses needed to take advantage of this functionality. If customer is sitting on a Sophos license today for example, will AMP be an addon or replacement of this license ?
  Any info is appreciated.

  Hi Daniel,
  We announced the software integration at RSA last week. It will be available as a feature in the next 2 to 4 weeks as FCS code (First Customer Ship.) It will be a separate software license for the cloud inspection and a separate license for the cloud sandboxing. It will not be included in any existing licenses. This is the upcoming 8.5.5 version of AsyncOS.
  In the mail pipeline it will come after Anti-Spam and Anti-Virus engines and before Content Filters and Outbreak Filters. You will be able to do Content Filter inspections and actions based on AMP results.
  Also at RSA we announced the integration of Web Categorization and Web Reputation technology from the WSA into the ESA. This will be included as part of the Outbreak Filters license. Web Reputation is embedded into the anti-spam engine and Outbreak Filters. Web Categorization is available as a condition and as an action in Content Filters. You can do actions such as defang, re-write to Proxy, or replace URL with text or any other Content Filter action such as drop or quarantine messages with Adult or Pornographic category URLs. This is the 8.5.0 version of AsyncOS and is available today as FCS code.
  Please work with Cisco TAC to have your devices provisioned for 8.5.0 FCS code if you wish to test.
  Thanks,
  Raymond Jett
  Technical Marketing Engineer
  Email Security Products