In Cisco SecureX Threat Response, you can now investigate and apply the following remedial actions on messages processed by your email gateway:. Use this option to configure a content filter to take action on message attachments that match a specific file SHA value in the selected file hash list.
In a clustered configuration, you can now enable smart software licensing and register all the machines simultaneously with the Cisco Smart Software Manager.
After you enabled smart software licensing and registered your email gateway with the Cisco Smart Software Manager, the Cisco Cloud Services portal is automatically enabled and registered on your email gateway. You can view details of the smart account created in the Cisco Smart Software Manager portal using the smartaccountinfo command in the CLI. Sender Maturity represents the Cisco Talos view of how mature a domain is as an email sender.
Sender Maturity is used to calculate the sender reputation. Immature domains are assigned lower reputation. Cisco Talos recommends you rely on sender reputation only for determining policy actions. Sender Maturity is exposed to fine-tune filters for specific, non-standard scenarios. You can now validate the client credentials for the Office or Hybrid Graph API remediation account profile using the Client Secret value of the application generated on the Azure Management Portal.
A new log field - Message Size is added in the Consolidated Event Logs log type to view the message size in the single log line output. Select the 'File s Details' log field when configuring the log subscription for the Consolidated Event Logs. The email gateway now supports a new type of log subscription - Cloud Connector Logs. Most of the information is present at the Info or Warning Level.
The default value is 20, which is the minimum value. During the configured query timeout, the email gateway sends the file reputation queries to the AMP server. If the email gateway fails to receive response from the AMP server, it retries by sending the query again to the AMP server.
The query timeout includes the time taken for the first query request and the retry request. The retry method enables the email gateway to receive responses when there are network latencies, issues related to the AMP server, and so on. The Cisco Talos Email Status Portal is a web-based tool for monitoring the status of email submissions from end-users.
Users of the legacy portal can still access their previous submissions in the new portal. You will not be able to submit samples of spam, phish, ham, marketing or non-marketing emails that may have been misidentified by your email gateway in the new portal. For more information, see Managing Spam and Graymail. In addition to creating a login passphrase manually, you can now also create a system-generated passphrase to log in to your email gateway. For more information, see Setup and Installation.
You can configure your email gateway to perform FQDN validation for certificates in the following scenarios:. You can configure your email gateway to consume threat feeds from the Cisco SecureX Threat Response portal.
The Cisco SecureX Threat Response portal allows you to create custom feeds for the continuous gathering of observables and to consume them in your email gateway using the feed URL. A feed is a simple list of observables in JSON format. The following table shows the comparison of the new web interface with the legacy interface:. The Mail Flow Summary page includes trend graphs and summary tables for incoming and outgoing messages.
The Incoming Mail includes graphs and summary tables for the incoming and outgoing messages. The following sections are available on the Advanced Malware Protection report page of the Reports menu:. The email gateway has the following Advanced Malware Protection report pages under Montior menu:. You can select multiple or all messages and perform a message action such as delete, delay, release, move, etc. The maximum limit for downloading attachments of a quarantined message is restricted to 25 MB.
The Query Settings field of the Message Tracking feature is not available on the. You can set the query timeout in the Query Settings field of the Message Tracking feature. Click the gear icon on the upper right side of the page the web interface to access Message Tracking Data Availability page. You can view the missing-data intervals for your email gateway. Verdict Chart displays information of the various possible verdicts triggered by each engine in your email gateway.
Last State of the message determines the final verdict triggered after all the possible verdicts of the engine. Message attachments and host names are not displayed in the Message Details section of the message on the email gateway. Message attachments and host names are displayed in the Message Details section of the message.
Direction of the message incoming or outgoing is displayed in the message tracking results page, on the email gateway. Direction of the message incoming or outgoing is not displayed in the message tracking results page. Cisco offers the following resources to learn more about your email gateway :.
You can access the online help version of this user guide directly from the appliance GUI by clicking Help and Support in the upper-right corner. The documentation set for the Cisco Secure Email Gateway includes the following documents and books:. Documentation for all Cisco Content Security products is available from:.
The syntax of a filter using the url-no-reputation-defang action is:. Use the url-reputation-proxy-redirect action. The syntax of a filter using the url-reputation-proxy-redirect action is:. Use the url-no-reputation-proxy-redirect action. The syntax of a filter using the url-no-reputation-proxy-redirect action is:. The syntax of a filter using the url-category-replace action is. Where replacement-text is the text that you want to use to replace the URL.
The syntax of a filter using the url-category-defang action is:. The syntax of a filter using the url-category-proxy-redirect action is:. The No Operation action performs a no-op, or no operation. You can use this action in a message filter if you do not want to use any of the other actions such as Notify, Quarantine, or Drop. For example, to understand the behavior of a new message filter that you created, you can use the No Operation action.
After the message filter is operational, you can monitor the behavior of the new message filter using the Message Filters report page, and fine-tune the filter to match your requirements.
The following example shows how to use No Operation action in a message filter. The following message filter compares the From: header in the message with the terms in dictionary and if the matching score of a term in the content dictionary is greater than or equal to 70, the message filter strips the From: header and replaces it with the Envelope Sender.
The email gateway uses Content Scanner to strip attachments from messages that are inconsistent with your corporate policies, while still retaining the ability to deliver the original message. You can filter attachments based on their specific file type, fingerprint , or based on the content of the attachment. Using the fingerprint to determine the exact type of attachment prevents users from renaming a malicious attachment extension for example,.
When you scan attachments for content, the Content Scanner extracts data from attachment files to search for the regular expression. It examines both data and metadata in the attachment file. If you scan an Excel or Word document, the attachment scanning engine can also detect the following types of embedded files:.
The message filter actions described in the following table are non-final actions. Attachments are dropped and the message processing continues. The optional comment is text that is added to the message, much like a footer, and it can contain Message Filter Action Variables see Examples of Attachment Scanning Message Filters. Drops all attachments on messages that have a filename that matches the given regular expression.
Drops all attachments on messages that have a given MIME type. Drops all attachments on the message that, in raw encoded form, are equal to or greater than the size in bytes given. Note that for archive or compressed files, this action does not examine the uncompressed size, but rather the size of the actual attachment itself.
Drops all attachments on message that contain the regular expression. This filter action strips attachments based on matches to dictionary terms. Some messages contain images that you may wish to scan for inappropriate content.
Use the image analysis engine to search for inappropriate content in email. The image analyzer uses algorithms that measure image attributes to determine the likelihood of inappropriate content. These algorithms can detect, for example, the shapes and color palette in an image.
The analyzer can identify the type of shapes in an image and the percentage of any flesh-tone colors relative to the other colors in the image to help identify inappropriate content.
Images with a high percentage of flesh-tone colors are more likely to be inappropriate. The algorithms do not discriminate in any way. Image analysis is not designed to supplement or replace your Anti-Virus and Anti-Spam scanning engines.
Its purpose is to enforce acceptable use by identifying inappropriate content in email. Use the image analysis scanning engine to quarantine and analyze mail and to detect trends. After you configure your email gateway for image analysis, you can use image analysis filter rules to perform actions on suspect or inappropriate emails.
When you scan image attachments, Cisco fingerprinting determines the file type, and the image analyzer uses algorithms to analyze the image content.
If the image is embedded in another file, the Content Scanner extracts the file. The image analysis verdict is computed on the message as a whole. Therefore, a message without any images will receive a "clean" verdict.
Click Enable. A success message displays, and the verdict settings display. The image analysis filter rule allows you to determine the actions to take based on the following verdicts:. These verdicts represent a numeric value assigned by the image analyzer algorithm to determine probability of inappropriate content.
The following values are recommended:. You can fine-tune image scanning by configuring the sensitivity setting, which helps reduce the number of false positives. For example, if you find that you are getting false positives, you can decrease the sensitivity setting.
Or, conversely, if you find that the image scanning is missing inappropriate content, you may want to set the sensitivity higher. The sensitivity setting is a value between 0 no sensitivity and highly sensitive. The default sensitivity setting of 65 is recommended. Click Edit Settings. Configure the settings for image analysis sensitivity. Configure the settings for Clean, Suspect, and Inappropriate verdicts.
When you configure the value ranges, ensure that you do not overlap values and that you use whole integers. Optionally, configure AsyncOS to bypass scanning images that do not meet a minimum size requirement recommended.
By default, this setting is configured for pixels. Scanning images that are smaller than pixels can sometimes result in false positives. You can also enable image analysis settings from the CLI using the imageanalysisconfig command:.
To see the verdict score for a particular message, you can view the mail logs. The mail logs display the image name or file name, the score for a particular message attachment.
In addition, the log displays information about whether the images in a file were scannable or unscannable. Note that information in the log describes the result for each message attachment, rather than each image.
For example, if the message had a zip attachment that contained a JPEG image, the log entry would contain the name of the zip file rather than the name of the JPEG. Also, if the zip file included multiple images then the log entry would include the maximum score of all the images.
The unscannable notation indicates whether any of the images were unscannable. The log does not contain information about how the scores translate to a particular verdict clean, suspect or inappropriate.
However, because you can use mail logs to track the delivery of specific messages, you can determine by the actions performed on the messages whether the mail contained inappropriate or suspect images. For example, the following mail log shows attachments dropped by message filter rules as a result of Image Analysis scanning:. Once you enable image analysis, you must create a message filter to perform different actions for different message verdicts.
For example, you may wish to deliver messages with a clean verdict, but quarantine messages that are determined to have inappropriate content.
The following filter shows messages tagged if the content is inappropriate or suspect:. After you enable image analysis, you can create a content filter to strip attachments based on image analysis verdicts, or you can configure a filter to perform different actions for different message verdicts.
For example, you might decide to quarantine messages that contain inappropriate content. To strip attachments based on image analysis verdicts:. Enter a name for the content filter. Under Actions, click Add Action.
Select from the following image analysis verdicts:. To configure an action based on image analysis verdicts:. Under Conditions, click Add Condition.
Choose from one of the following verdicts:. Click Add Action. Select an action to perform on messages based on the image analysis verdict. Using the Text Resources page in the GUI or the textconfig CLI command to configure custom notification templates as text resources is another useful tool when used in conjunction with attachment filtering rules. The notification template supports non-ASCII characters you are prompted to choose an encoding while creating the template.
In the following example, the textconfig command was first used to create a notification template named strip. Then, an attachment filtering rule is created so that when an. For more information, see Notify and Notify-Copy Actions. The following examples shows actions performed on attachments:.
In these examples, AsyncOS inserts headers when the attachments contain specified content. In the following example, all of the attachments on the message are scanned for a keyword. If the keyword is present in all of the attachments, a custom X-Header is inserted:. In the following example, the attachment is scanned for a pattern in the binary data. The filter uses the attachment-binary-contains filter rule to search for a pattern that indicates that the PDF document is encrypted.
If the pattern is present in the binary data, a custom header is inserted:. Note that the drop-attachments-by-filetype action examines attachments and strips them based on the fingerprint of the file, and not just the three-letter filename extension. In the following example, a message is dropped if the attachment is not an. However, the filter will not perform any action on the message if there is at least one attachment with the file type you want to filter out.
This drop-attachments-where-dictionary-match action strips attachments based on matches to dictionary terms. Note that the threshold for the matches is set to one:.
The attachment-protected filter tests whether any attachment in the message is password protected. You might use this filter on incoming mail to ensure that the attachments are scannable.
According to this definition, a zip file containing one encrypted member along with unencrypted members will be considered protected. Similarly, PDF file that has no open password will not be considered protected, even though it may restrict copying or printing with a password. The following example shows protected attachments sent to a policy quarantine:.
The attachment-unprotected filter tests whether any attachment in the message is not password protected. This message filter complements the attachment-protected filter. You might use this filter on outgoing mail to detect outgoing mail that is unprotected. The following example shows AsyncOS detecting unprotected attachments on an outgoing listener and quarantining the messages:. As an example, use the following message filter rule syntax to detect files in message attachments categorized as malicious by the ETF engine, and take appropriate actions on such messages.
In the following example, if a message contains a message attachment detected as malicious by the ETF engine, the attachment is stripped. You can use the CLI to add, delete, activate and de-activate, import and export, and set logging options for message filters. The table below shows a summary of the commands and subcommands. The main command. This command is interactive; it asks you for more information for example, new , delete , import.
Creates a new filter. If no location is given, it is appended to the current sequence. Otherwise, the filter will be inserted into the specific place in the sequence. For more information, see Creating a New Message Filter.
Deletes a filter by name or by sequence number. For more information, see Deleting a Message Filter. Rearranges the existing filters. Sets filter to active or inactive state. For more information, see Exporting Message Filters.
Lists information about a filter or filters. For more information, see Displaying a Message Filter List. Prints detailed information about a specific filter, including the body of the filter rule itself. For more information, see Displaying Message Filter Details. Enters the logconfig submenu of filters, allowing you to edit the log subscriptions from archive filter actions.
For more information, see Configuring Filter Log Subscriptions. An integer representing a filter based on its position in the list of filters. A seqnum of 2 represents the second filter in the list, for example. A range may be used to represent more than one filter, and appears in the form of X Y , where X and Y are the first and last seqnums that identify the extent.
For example, represents filters in the second, third, and fourth positions. Either X or Y may be left off to represent an open-ended list. For example, -4 represents the first four filters, and 2- represents all filters except the first. You can also use the keyword all to represents all the filters in the filter list. Specifies the position at which to insert the new filter s.
If omitted, or given the keyword last , the filters entered in are appended to the list of filters. No gaps in the sequence numbers are allowed; you are not allowed to enter a seqnum outside the boundaries of the current list.
If you enter an unknown filtname , you are prompted to enter a valid filtname , seqnum , or last. After a filter has been entered, you may manually enter the filter script. When you are finished typing, end the entry by typing a period. Moves the filters identified by the first parameter to the position identified by the second parameter.
If the second parameter is the keyword last , the filters are moved to the end of the list of filters. If more than one filter is being moved, their ordering remains the same in relation to one another.
A given message filter is either active or inactive and it is also either valid or invalid. A message filter is only used for processing if it is both active and valid. You change an existing filter from active to inactive and back again using the CLI.
A filter is invalid if it refers to a listener or interface which does not exist or has been removed. Note that when the details of the filter are shown, the colon has been changed to an exclamation point and is bold in the following example. Sets the filters identified to have the given state. Legal states are:. The name of the file containing filters to be processed. It is ingested and parsed, and any errors are reported. The filters imported replace all filters existing in the current filter set.
Consider exporting the current filter list see Exporting Message Filters and then editing that file before importing.
When importing message filters, you are prompted to select the encoding used. When exporting message filters, you are prompted to select the encoding used. The best way to manage non-ASCII characters in filters is to edit the filter in a text file and then import that text file see Importing Pre-Policy Filters into the email gateway.
Shows summarized information about the identified filters in a tabular form without printing the filter body. The information displayed includes:. Provides full information about the identified filters, including the body of the filter and any additional state information. Enters a submenu that allows you to configure the filter log options for the mailbox files generated by the archive action. These options are very similar to those used by the regular logconfig command, but the logs may only be created or deleted by adding or removing filters that reference them.
Each filter log subscription has the following default values, which can be modified using the logconfig subcommand:. You can use the localeconfig command to set the behavior of AsyncOS regarding modifying the encoding of message headings and footers during message processing:.
The second prompt controls whether or not the email gateway should impose the encoding of the message body on the header if the header is not properly tagged with a character set. The third prompt is used to configure how disclaimer stamping and multiple encodings in the message body works.
The fourth prompt is used to configure the behaviour of disclaimer stamping, if an error is generated during the decoding of the message body. In the following example, the filter command is used to create three new filters:.
Finally, the changes are committed so that the filters take effect. This section contains some real world examples of filters with a brief discussion of each. The email gateways do not relay these messages to the world. These filters are put in place to protect users who may have open-source MTAs that are misconfigured to allow relay of these types of messages.
This filter sends notification based on whether the subject contains specific words:. This filter scans and blind copies messages that are sent to competitors. Note that you could use a dictionary and the header-dictionary-match rule to specify a more flexible list of competitors see Dictionary Rules :. Use this filter to block email from a specific address:.
Log and drop only the messages that have matching filetypes:. Use the archive line for verification of proper action, with drop enabled or disabled for extra safety:. If you also want to drop messages with a blank envelope from, use this filter:. Show which mail flow policy accepted the connection:.
Bounce all outbound email messages with more than 50 recipients from more than two unique domains:. Segment traffic using virtual gateways.
Assuming you have two Interfaces on the system, 'public1' and 'public2', and the default delivery interface is 'public1'. This would force all of your outbound traffic over the second interface; since bounces and other similar types of mail do not go through filters, they will be delivered from public Use the same listener for delivery and receiving.
Make the filter work on a single listener. For example, specify a specific listener for message filter processing instead of being performed system wide. Drop email with a spoofed domain pretending to be from an internal address; works with a single listener. IP addresses below represent fictional domain for mycompany. This filter is used to detect, stop, and determine what is causing, a mail loop.
This filter can help determine a configuration issue on the Exchange server or elsewhere. Use this filter to drop all message attachments in messages that match the specific file SHA value in the file hash list. Use this filter to drop all messages if the message attachments match the specific file SHA value in the file hash list.
You can control the behavior of body and attachment scanning, such as the attachment types to be skipped during a scan by configuring the scanning parameters. Use the Scan Behavior page or the scanconfig command to configure these parameters. Scan behavior settings are global settings, meaning that they affect the behavior of all the scans.
Define the attachment type mapping. Do one of the following:. Import a list of attachment type mappings using a configuration file. Click Import List , and import the desired configuration file from the configuration directory. Configure the global settings. Do the following:.
Choose whether to scan or skip attachments types defined in the attachment type mapping. Assume attachment matches pattern if not scanned for any reason. Action when message cannot be deconstructed to remove specified attachments.
Specify the action to be taken when a message could not be deconstructed to remove specified attachments. Bypass all filters in case of a content or message filter error. Select the Use Default Value 70 option to use the recommended image quality value for a safe-printed attachment. Select Enabled option to add a watermark to a safe-printed attachment. Select Enabled option to add a cover page to a safe-printed attachment. Select the Enabled option under Inbound Mail Traffic or Outbound Mail Traffic to allow the Content Scanner in your email gateway to scan the contents of password-protected attachments in incoming or outgoing messages.
Suppose the Content Scanner can extract the password from the body of the message and scan the attachment contents successfully. In that case, the password and attachment is sent to Cisco AMP Threat Grid, if configured in your email gateway and the file is recommended for file analysis.
The Content Scanner extracts the password from the body of the message with the best effort. The extracted password is not stored in your email gateway after the scanning is complete. Select the Enabled option to create a user-defined passphrase to open password-protected attachments in incoming or outgoing messages. Click Add Row if you want to add more than one user-defined passphrase.
You can change the priority of the user-defined passphrase by entering the required user-defined passphrase in the Password field that corresponds to the required priority.
Specify the actions to take when a message cannot be scanned by the Content Scanner due to decoding errors found during URL filtering actions.
Action for unscannable messages due to extraction failures. Specify the actions to take when a message cannot be scanned by the Content Scanner because of an attachment extraction failure. Action for unscannable messages due to RFC violations. Specify the actions to take when a message cannot be scanned by the Content Scanner because of an RFC violation.
Click Submit. Optional Manually update the Content Scanner files. Usually, these files are automatically updated using update server. You can configure any one of the following message handling actions on messages that are not scanned by the Content Scanner:. You can perform the following additional actions, if you choose to deliver the message:. These actions are not mutually exclusive; you can combine some or all of them differently within different incoming or outgoing policies for different processing needs for groups of users.
You can alter the text of messages that are not scanned by the Content Scanner by prepending or appending certain text strings to help users easily identify and sort identified messages. Add spaces after if prepending or before if appending the text you enter in this field to separate your added text from the original subject of the message.
The default text that is added to the subject of the message that is not scanned by the Content Scanner:. You can define an additional, custom header to add to all messages that are not scanned by the Content Scanner. Click Yes and define the header name and text.
You can modify the message recipient, causing the message that is not scanned by the Content Scanner to be delivered to a different address. Click Yes and enter the new recipient address. You can choose to send the notification to a different recipient or destination host for messages that are not scanned by the Content Scanner. Click Yes and enter an alternate address or host. In the case of a multi-recipient message, only a single copy is sent to the alternative recipient.
When flagged for quarantine, the message that is not scanned by the Content Scanner continues through the rest of the email pipeline. For example, a content filter can cause a message to be dropped or bounced, in which case the message will not be quarantined. If a policy quarantine is not defined in your email gateway , you cannot sent the message to the quarantine. You can perform the following additional actions, if you choose to send the message to the policy quarantine:.
Download Options. Updated: November 22, Before you upgrade the appliance to the Note You can now upgrade to The critical logs messages are now included in proxy logs. Log Subscriptions Following logs are modified to include more details: The access logs now display the user name when authentication fails.
You can access the new web interface in the following way: Log in to the legacy web interface and click the Web Security appliance is getting a new look. You must log in to the legacy web interface of the appliance. Note Cisco does not recommend viewing the new web interface of the appliance on higher resolutions. Note While upgrading, do not connect any devices keyboard, mouse, management devices Raritan etc.
After you upgrade to Note This release is not compatible with, and cannot be used with, the currently available Security Management releases. Features and functionality that support IPv6 addresses: Command line and web interfaces.
You can use Kerberos authentication with these operating systems and browsers: Windows servers , , R2, and Kerberos authentication is not available with these operating systems and browsers: Windows operating systems not mentioned above Browsers not mentioned above iOS and Android. Note Ensure that the Security Services updates are successful. Before you begin.
Choose from the list of available upgrades. Note To verify the browser loads the new online help content in the upgraded version of AsyncOS, you must exit the browser and then open it before viewing the online help. Do the following: Procedure. Requirements in this section were introduced in AsyncOS 8. Note This patch is required only for virtual appliance releases that were downloaded or upgraded before June 25, Was this Document Helpful?
Yes No Feedback. Deprecation of TLS 1. Support for High Performance. Web Proxy IP Spoofing. Support for YouTube Categorization. Warning messages for proxy malloc memory utilization. Cache Size Configuration for Authentication. Log Subscriptions. Following logs are modified to include more details: The access logs now display the user name when authentication fails. Use the Cisco SFPs which are shipped with the appliance. Ensure that the Security Services updates are successful.
Upgrade your hardware appliance to this AsyncOS release. Save the configuration file from your upgraded hardware appliance. When IP spoofing profile is used in a routing policy, the web proxy changes the source IP address to custom IP address defined in the IP spoofing profile.
You can now retrieve configuration information, and perform any changes such as modify existing information, add a new information, or delete an entry in the configuration data of the appliance using REST APIs.
See YouTube Categorization. These details are used by Cisco to identify the device information, list of free and licensed features and their activation statuses. By default, the Cisco Success Network feature is enabled on the appliance. The Cisco AsyncOS This increases the traffic handling performance of the existing high end appliances.
You can now upgrade to In the previous release, you had to disable the above mentioned features in order to avail the High Performance mode. To access the web interface, your browser must support and be enabled to accept JavaScript and cookies.
Your session automatically times out after 30 minutes of inactivity. Some buttons and links in the web interface cause additional windows to open. Browsers are supported only for operating systems officially supported by the browser.
You can access the legacy web interface of the appliance on any of the supported browsers. The supported resolution for the new web interface of the appliance AsyncOS The best viewed resolution is x, for all the browsers. Cisco does not recommend viewing the new web interface of the appliance on higher resolutions.
To enable these protocols, you must use the command-line interface. Access the command-line interface. See Accessing the Command Line Interface. Run the interfaceconfig command. Pressing Enter at a prompt accepts the default value. Open a browser and enter the IP address or hostname of the Web Security appliance. If the appliance has not been previously configured, use the default settings:.
0コメント