Help me in ironport

Similar Messages

• C150 The case application tried and failed 3 times...

  Hi All,
  Requesting some help with the IronPort C150 Alert below. Thanks for any suggestions, pointers, or experience you can provide regarding this issue.
  The Warning message is:
  The case application tried and failed 3 times to successfully complete an update. This may be due to a network configuration issue or temporary outage.
  Version: 7.5.1-102
  Thank you,
  --Liko

  Hi again,
  Luckily I found this post which was not located using the search utility.
  'CASE updates incorrectly timeout on 1U appliances'
  --Liko

• I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

  I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

  The C170 does not support URL redirection prior to OS release 8.5. What exactly do you need to accomplish?

• Help needed implementing an IronPort S160

  Hi all,
  We have received a Cisco IronPort S160 to trial but implementing it into my network is confusing me.
  1) How do I activate/enable port P2 to be the WAN port?
  2) Why can the S160 only be used as a transparent proxy with a layer 4 switch or WCCP router? We do not possess any of these devices and don't want to have to add proxy information into all users PC's (as with explicit proxying). Previous ZyXEL and FortiGate devices we have owned allowed transparent proxying without such necessities. Is there a work-around?
  Thanks in advance.
  Elliot

  Hi all,
  We have received a Cisco IronPort S160 to trial but implementing it into my network is confusing me.
  1) How do I activate/enable port P2 to be the WAN port?
  2) Why can the S160 only be used as a transparent proxy with a layer 4 switch or WCCP router? We do not possess any of these devices and don't want to have to add proxy information into all users PC's (as with explicit proxying). Previous ZyXEL and FortiGate devices we have owned allowed transparent proxying without such necessities. Is there a work-around?
  Thanks in advance.
  Elliot

• Ironport C160 Don't know what this error is or how fix it. Please Help....

      This error has been sent to my inbox for a few days now. I rebooted the appliance and it was fine for a day, and now it's doning it again. If I were to take it as it reads it seems like the OS is messed up.
  An application fault occurred: ('aplib.oserrors.pyx aplib.oserrors.map_exception (aplib/aplib.oserrors.c:463)|28', "<class 'aplib.oserrors.ENFILE'>", '[Errno 23] Too many open files in system', '[heimdall/child.py _watchdog|1179] [heimdall/child.py _do_watchdog|1189] [heimdall/child.py _run_watchdog|1208] [egg/coro_process.py capture|80] [egg/coro_process.py spawn_job_bg|221] [_process.pyx _process.spawn_job_bg (_process.c:1842)|236] [_process.pyx _process.spawn_job_bg (_process.c:1793)|233] [_process.pyx _process._spawn_job_bg (_process.c:1975)|249] [pyrex_helpers.pyx _process.raise_oserror (_process.c:627)|12] [aplib.oserrors.pyx aplib.oserrors.map_exception (aplib/aplib.oserrors.c:463)|28]')

  When I tried to search this last week there was nothing about it, but it seems now there is.
  https://supportforums.cisco.com/thread/2187682?tstart=5

• Critical error: MID 25342101 antivirus server error from ironport c350. please help me resolve this issue

  The Critical message is:
  MID 25342101 antivirus server error
  Version: 6.1.0-301

  Hi Sobha Dev.,
  the issue is related to the Sophos AV engine. Particular messages can cause an internal Sophos error. The issue has been fixed in newer versions of Sophos. Since you are running on EoL version 6.1 you should upgrade to a supported version which will include an updated Sophos version including the fix.  The latest AsyncOS version is 7.6.1 which has Sophos 4_84.
  Regards,
  Enrico

• IronPort DLP Policy Help

  Hello Everyone.
  I am after some advice, we are currently implementing the DLP Policy engine for all of our Outbound messages, and have had very good success with some of the policies, but there there is one that is not producing the results that we would have expected.
  The Transmission of Contact Information policy based on the description "Identifies email transmissions that contain contact information, such as employee or customer names, addresses or email addresses."
  However we are finding that it is not picking up customer data, it is just picking up email signatures.  We have made changes to which severities it blocks (Critical only) but it doesn't seem to make a difference.
  We have it as the last Polciy to be applied, so it may be that other polcies are picking things up before this, but we can't turn it to block if it is going to stop emails based purly on the signature.
  Has anyone esle out there had similar issues or advise for this?

  Andreas
  Thanks for that, I was hoping this ewas the case.  However I am now confussed.
  When we setup the DLP Policies originally, we want to ensure that emails that were being sent securly were excluded from any DLP scanning.  To that end we setup a content rule that inserts a Message Tag.
  We then setup a DLP Rule called DLP Ignore that Filters Messages if the tag is present and looks for the message tag we added in the rule.  Based on what the support engineer was telling us this had to be the first rule as DLP works on a first match only.
  Based on what you have told me I would therefore expect that if a messaeg contained a Credit Card number and relevent details and therefore triggers the PCI-DSS policy that then bounces the message, even if it was marked as being send securely and had the Message Tag added, then the message should be bounced as "Bounce" in more restrictive than "Deliver".
  Unless of course the "Filter Message Tags" option does something that overrides the fact that the message should be scanned by the other policies.
  Thanks

• Ironport Whitelist and related questions

  Hi all,
  I have recently started at a new position for a company that is utilising ironport as the email spam filtering/virus checking appliance.
  Almost immediately after starting in my position issues were being discussed, where the senderbase reputation scoring was marking a sister companies mail as spam - obviously due to a bad reputation.
  It was important that these mails were delivered and the obvious answer seemed to be to whitelist the domains, which was implemented by another support person. After the whitelist setting was applied though the mails were still be rejected due to being suspected spam - there is no quarantine setup.
  Today I logged into the boxes to see if I could syslog the mail logs to a seperate linux server and suddenly got wrapped up in this problem. I had a look and could see the domains in the whitelist section within the HAT, after doing some reading I can confirm the whitelist section was ordered as being number 1 in the list and by looking further it looks like the whitelist domains were via the 'add to sender group' button within the monitoring overview screens (this is assumed as both .sistercompany.com and sistercompany.com were appended to the whitelist).
  After a few hours of reading up I couldn't understand why the whitelist wasn't working, I even did a lookup of the domain in the monitoring overview search section for mail recieved by sistercompany.com and could see that it belonged in the whitelist group. I got further confused when reading the help and support guide - it had screenshots that looked very similar to our setup [within the HAT overview and Mail Policies], however it had an sbrs for the whitelist set between 6 and 10, where as that was blank on our system, nowhere in the document would it describe why this sbrs value was set. Bearing in mind I have only had a few hours of experience with this product, so these maybe silly questions but:
  Why would you add an sbrs value to the whitelist - I would have thought whitelists would ignore any score presented.
  If number 1 has nothing to do with why these domains were still being flagged as spam, has anyone got any suggestions as to what the issue maybe?
  For a small bit of information we have the C660 appliances installed.
  Any help would be much appreciated

  I'm taking a wild guess here since there are a lot of missing details. Forgive me if I'm covering ground you've already trod.
  Remember that the HAT controls how incoming SMTP connections are handled, so entries in the HAT must correspond to the remote SMTP servers that are connecting to you. You don't put the "domain" part of "user@domain" in the HAT ("sistercompany.com" in your case), you put in the the domain names of the actual remote SMTP servers or a wildcard that matches them all. In your case, this might be ".sistercompay.com" (note the leading "." indicating that this will match any domain name ending with ".sistercompany.com"), but only if their SMTP servers have host names in that domain.
  Whitlisting by domain name requires that the IP addresses of those remote SMTP servers have correct rDNS. If they don't, you'll have to list them in the HAT by IP address. FYI, we never put anything in the HAT by IP address unless it is unavoidable. Using domain names and requiring correct rDNS forces good DNS hygiene, and also provides a layer of abstraction. The server's address can change, but so long as the DNS is kept up to date we don't have to change our HAT entries.
  You can see from the mail logs what sender group is being applied on each SMTP connection. Find one of the rejected messages in the log and see what sender group its connection landed in. If it didn't land in the whitelist (which will almost certainly be the case, given that the message was not in fact whitelisted), then you know the HAT entry is wrong. You can also use the log to determine the actual domain name of the remote server, assuming the rDNS for its IP address is correct.
  The example screenshot in the manual showing SBRS between 6 and 10 being whitelisted is demonstrating that you can whitelist by SBRS as well as by explicit listing in the sender group. Your whitelist simply isn't doing this, which is fine. In this age of rampant spamming from stolen accounts on reputable servers, whitelisting by SBRS can let spam in. We raised the lower limit from 6 to 8 several years ago after getting hit in this exact way.
  ++Don

• How to get user 'logged in' to ironport web filter without launching IE

  We have an issue with some employees who use third party programs that traverse the Internet.  These programs are 100% allowed by the organization as they are required for day to day business.  Some programs go over the Internet to communicate for certain reasons, such as a live chat help support, or ordering products, etc..
  The problem is that some of these users log in and never even touch Internet Explorer for awhile.  They will go on and start working right away.  Well if they don't try to access an Internet site via IE, then the Ironport does not 'log them in', and they are known as unauthenticated.  Of course this doesn't happen with everyone.  There's nothing wrong with people coming in a little early and checking the local news online.
  We were thinking up if it's possible to have each user 'touch' the ironport web filter in some way during a logon script, unbeknown to the end user, so that they are 'signed in' and whatever Internet connected application they launch has access through to the Internet.  Right now they need to at least launch IE and go to some site (say Google or MSN) and via NTLM credentials transparently passed through IE7, 8 or 9, they can simply close the page and go about their business.  Note: they MUST go to an external site.... not an internally hosted one (such as our Intranet, time clock or HR self service pages).
  So is there any commands we can put in via kix or bat or something that will say "Hey Ironport, %username% just logged in at 10.x.x.x".  Then maybe to make it more advanced, a logoff script that says "Hey Ironport, %username% just logged OFF of 10.x.x.x".  This way when our hourly timeout happens, they aren't immediately booted from their Internet applications (if they don't keep an IE window open that is).
  Right now our ASA Firewall uses WCCP to forward port 80 to the ironport web filter.  The Ironport is a transparent proxy.
  Thanks!

  So it looks like you are moving the authentication from the Ironport S160 to the ASA5500 series firewall?
  I guess we are looking at something simpler, like a way to 'touch' the internet and pass NTLM credentials, because then the Ironport knows who the user is.
  If the user does not 'touch' the internet with IE, and say they use some other program that does not pass NTLM credentials (say Firefox or live chat program, or an ftp program, etc...) They are likely to be blocked, because the Ironport doesn't know who they are.
  Your link seems to lead to a complicated setup for something that seems so simple.  I'm not sure how that relates to an Ironport S160.. it seems to focus on the ASA5500. Also we want it to be completely 100% transparent to the end user.
  This is how it worked with a Barracuda web filter appliance...
  A DCAgent program sat on each domain controller. As users logged in or out of the domain, this agent passed this current activity to the Barracuda web filter appliance.
  The Barracuda appliance knew exactly who was logged in because of this little program on the domain controller(s) that kept it updated. Based on this, policies could be assigned based on Active Directory group memberships. ie) HR and Marketing can access Facebook, while others cannot.
  I guess I'm looking for similar functionality with the Ironport S160. If there's any way the domain controller, or even the client PC can say "Hey Ironport, %username% is logged on here at %ip_address%". That way the Ironport would know who they are, and there would be no unnecessary authentication boxes (besides the user logging into the windows domain). They could use internet connected apps that do not pass NTLM authentication. I guess the client PC or the domain controller would also have to tell the IronPort when they signed off, just so we don't have to deal with authentication timeouts. This way, say they are in our internet chat help program... after an hour, it will cut out and disconnect them - because the IronPort forgets who they are (unless they are actively using the internet with IE).
  So for now, we just use the bypass option for the affected internet services.  The default browser is IE, so the reality is that we are not suffering any tremendous inconvienence.  It's just that we want to ensure we have the best robust solution, and we can handle these types of situations with programs other than IE accessing internet resources.

• Help needed with reporting API

  Hi Guys,
  ok i have tried many things but i just cant seem to get to grips with the "apireport.pl" tool provided to produce reports.
  I have downloaded a fresh copy from ironport, only changed the Hostnames and primary_config files as needed, but no matter what i do i get the following error when i run the tool.
  "Argument "--" isn't numeric in addition (+) at C:\Ironport reporting\apireport-1-0\apireport.pl line 264, <CSVFILE> line 2".
  The othert thing is that the reports are produced but when you look at it the pie chart it just displays as a single state of all inbound mail being clean.
  Any help or example scripts / config would be appreciated.
  Thanks

  I can now see that the report being produced IS only displaying the data for clean mail, hence the pie chart showing all mail clean, it just isnt displaying any other data but i dont know how to resolve this. When i look at the reports chart there is no data in the fields for anything other than clean mail so im presuming the process isnt either pulling in the data or processing it into the report
  Any help would be appreciated thanks

• Unexplained bounce backs from Ironport

  We have a C10 device and last week we receved instanct bounce backs from the Ironport when trying to send to several different external email addresses at different domains.
  The bounce backs were being generated by our internal Ironport itself instead of the destination email server so it is as if the email never left our company.
  After serval days and no configuration changes on the Ironport I sent several test emails to these external domains. They are being recevied okay without any problems. Can any one explain what is going on here and how the problem recitifed itself?
  Thanks for your help!

  What may be happening:
  It could be that your mailserver(e.g. Exchange) handed the mail off to the Ironport appliance, who took responsibility for the message. Then, after any last outbound scanning and appending disclaimers, the Ironport appliance did a MX lookup to deliver the message and then upon trying to deliver the message to the appropriate destination, the Ironport MTA received a SMTP 5## error code.
  Upon receiving the SMTP 5## error code, the Ironport appliance will consider this undeliverable to the destination and then turnaround and bounce it back to the original sender, which may be what you're observing.
  Where to go from here:
  It would be useful if you still have those bounce messages that were generated by the Ironport appliance. You can look up the original sender and intended recipient or subject line through the mail logs and find the corresponding timeframe when the Ironport MTA tried to establish a connection to the destination host. This will show up as an ICID event where the Ironport tried to connect to the destination host. I'm surprised that the bounce message didn't provide some info on the cause of the bounce.
  References:
  1. findevent is a good tool on the command line that you can use to search for messages.
  How can I determine the disposition of a message using the mail logs?
  http://tinyurl.com/jb7z4

• Cisco IronPort AsyncOS 6.7.6-068 for Management GA Notification

  Cisco is pleased to announce the General Availability (GA) of a new major release of AsyncOS 6.7.6-068 for
  Management to all customers. This release applies to all our Security Management Appliances (M-Series).
  AsyncOS 6.7.6-068 for Management enables Centralized Tracking and Reporting for the new features introduced in AsyncOS 7.0 for Email.
  New Features and Enhancements in AsyncOS 6.7.6-068 for Management
  New Feature: Centralized support for the reporting and tracking changes in the AsyncOS for Email release 7.0:
  RSA Data Loss Prevention
  Marketing Message Detection
  New Feature: Reporting by ESA Groups
  Enhanced: Domain-Based Executive Summary Report now configurable by:
  Domain of Email Server
  Domain of Email Address
  Fixes in AsyncOS 6.7.6-068 for Management
  Fixed: MemoryError after losing Housekeeper thread [Defect ID: 52048]
  Fixed: The Show Details link results in a timeout [Defect ID: 51558]
  Fixed: Safelist/Blocklist should be exportable via CLI [Defect ID: 43360]
  Fixed: LDAP Query strips spaces [Defect ID: 46099]
  Fixed: Tracking database time does not update after system timezone is changed [Defect ID: 49407]
  Fixed: Application error when accessing Online Help from the End User Spam Quarantine page [Defect ID: 52395]
  This release has gone through our beta program, internal soak tests and is also running in production at our FCS customers.
  Please upgrade at your convenience and let us know how you like this new release!
  Cheers,
  Jakob

  Hi,
  We identified an issue in AsyncOS 6.7.6-068 for Management that under certain circumstances can cause loss of historical reporting data when reporting groups are configured. To ensure a high quality release, further testing on our side is required.
  6.7.6-068 is no longer available for upgrade to your M-Series appliances.
  If you already upgraded to 6.7.6-068 we strongly recommend to disable group based reporting to avoid being affected.
  We expect to release a new improved build of 6.7.6 shortly and apologize for any inconvenience or confusion this might have caused.
  If you are required to upgrade to 6.7.6 before a new build is available, please contact Cisco IronPort Customer Support.
  I'll let you know once the new build is available...
  Best Regards,
  Jakob

• How to convince Externals IronPort is safe to send confidental emails?

  Please can some one in Cisco help me
  I need to put together a nice docuement peferable with nice graphics if available to explain that Cisco IronPort is a secure means of sending email data and that Iron port uses industry standard high levels of encyption and just how secure that is.
  This will mean basicly that any one that needs to send a confidental email to me, will be able to evaluate how strong IRONPORT is and know they are following good practise and remaining correct to their data policys for transit.
  Please can I have some good links or some aleady detailed documention that explains the security of IronPort send secure?

  If data management and persons wishing to be secure regarding the way they send data to their customers or vendors and currently rely on simple password protected files.
  What is more secure? a word docuement intercepted with a five chracter all lower case password or a non password protected word docuement but sent over Ironport Encryption Appliance?
  If a word file with a simple password is intercepted in transit, it would be security risk compared to this same file being sent with no password and over cisco's ironport solution.
  Where is this information.
  How many bits is secure mail, it is HTTPS but that in conjunction with Ironport is how secure.
  How can customers know they can rely on Ironport to both send and receive emails via  “Ironport Encryption Appliance”.
  Please can some one dirrect me in the correct dirrection ?

• Nation members - share your feedback on IronPort Anti-Spam!

  IronPort Anti-Spam customers,
  On a monthly basis, we like to collect information on customer satisfaction levels with IronPort’s spam defenses. If possible, please click on the below link and fill out the brief, IronPort survey.
  Benefits include:
  • All respondents are entered into a raffle to receive $100 in cash
  • This survey shouldn’t take more than 1 minute to fill out.
  • The feedback you provide goes a long way in helping us understand customer needs and concerns.
  Please be sure to complete this brief survey by no later than Thursday, June 7th.
  Please DO NOT complete this survey if you are running Brightmail Anti-Spam.
  Thanks in advance!
  Dave Mayer, IronPort Anti-Spam Product Manager
  https://www.surveymonkey.com/s.aspx?sm=w7b1FUslBFlsAPcaSLPTlw%3d%3d

  Who is Dave Mayer? Is this a real invitation from IronPort?
  Hi Pat,
  Dave M. is a product manager here at IronPort, and yes, the survey is real.
  Thanks!
  Garrett (IronPort Technical Publications)

• Need help in generating L4 Traffic monitor logs

  Hi,
  As a part of my project I need to study different types of logs produced by Cisco IronPort. I could generate some access and authentication logs however not sure about generating the L4 Traffic Monitor logs. Can anyone point me to right documentation that will help me generate those logs?
  Thanks,
  Harshad Kashikar

  Harshad,
  L4 Traffic Monitoring needs to be configured within the IronPort - first question is do you have a SPAN/TAP port set up on your switch to capture L4 traffic?
  Second, I only use this feature to capture information on malware/spyware - I have seen P2P, IRC, and 'phone-home' traffic amongst other things.  Do you have an infected host you can monitor?
  BF