cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3286
Views
5
Helpful
11
Replies

Add Multiple IPs to Senders Group

TBHernandez
Level 1
Level 1

We have a Senders Group that functions as our internal relay. I have over 100 IPs I need to add to the relay. Is there a way I can import these IPs and their associated "description"? None of these IPs are in sequence, so I can't just add a 'range' to our senders group.

Any help would be appreciated!

11 Replies 11

Horacio2021
Level 1
Level 1

Hi TB

 

i need more information, what equipment? IPV4, osi model 2,3...etc,

C670's and I'm trying to add IPv4 IP Addresses.

Mathew Huynh
Cisco Employee
Cisco Employee

Hello Hernandez,

 

If the entries are already in the HAT table of an existing ESA then you can import it out of an existing one and completely override another ESA.

 

Else; you'll need to manually add these entries into the system via the GUI / CLI one at a time.

 

The final method for a quick importing of such is to edit the XML document of the configuration file then add all the entries. Load the configuration in so it gets binded to the ESA


This method is not supported by Cisco, but can be done if you're handy with notepad++ 


Essentially you can save the configuration to your PC with passwords unmasked.

Then when opening it in notepad++ if you locate this new sendergroup your created for your internal Relays if it has one or two entries already it'll look something like:

---

RELAYLIST:
1.1.1.2
1.1.1.1
        $RELAYED

---

 

You can in additional entries on the notepad++ to keep with the format and load the configuration.

 

RELAYLIST:
1.1.1.2
1.1.1.1
1.1.1.2 (test add)
10.10.10.3 (test add2)
10.123.123.1 (testadd3)
        $RELAYED
 
 
Once done, save the configuration to your PC.
And load it back into the ESA and it will appear in the GUI.
 
Regards,
Matthew

TBHernandez
Level 1
Level 1

It looks like using the WinSCP utility works for this kind of task. However, that only allowed me to edit the XML file of 1 Sender Group, in 1 appliance. We have multiple appliances and when I try to run a search for one of these IPs in the Host Access Table (that I added via XML), I can't it. Of course, I have to view these Sender Groups in "Cluster Mode" and I don't know how to view the HAT of just one appliance. 

Clear as mud? Probably not.

Hello TB,

 

As your devices are in a cluster then loading the configuration may not have worked exactly.

If you're on a later release (i believe version 8.5.6) then you should be able to save your cluster level configuration out.


Make this XML edit.

Then load it back into the cluster groups to override all cluster configuration with this updated one.

If your clustered devices are separated into individual groups then you may need to do it once for each group and ensure it gets assigned to the right group when loading so the other groups do not get impacted.

Sendergroups should not be restricted to one machine unless the machine was overriding the cluster level configuration at the start.

Bob Fayne
Level 1
Level 1

You can do it with a script. I previously managed 30+ appliances before clustering was available so scripting became the way to go.

The most flexible way is to use Expect, but you can also use batch commands. The secret is that you need to do a commit before the SSH session ends or all of the changes will be lost.

 

Here's what you need to do. Create a text file with one line for each IP address that looks like this - change LISTENERNAME and SENDERGROUP to match your setup. Use whatever tool suits you.

listenerconfig edit LISTENERNAME hostaccess edit SenderGroup SENDERGROUPNAME new 1.1.1.1/32

 

Then, once you have a text file with all the commands, add two lines to the end.

commit SOMEREASON

exit

 

Then execute it like so:

ssh -tt USER@HOST < YOURSCRIPT

 

And...Voila!

 

P.S. You can't enter descriptions when you add entries from the CLI

Bedwards18
Level 1
Level 1

its 2019 and they still have not created a simple way to add multiple domains or IPs to a sender list. 

I have cloud email security, I cannot access the CLI or SFTP. so non of these methods help me......

Hello,

 

You have access to the CLI but it first has to be configured. Once configured, you can push/pull items from the configuration directory using SCP. 

 

There is a tech zone on how-to setup the CLI access. Though, you would first need to reach out to TAC and provide a public key for SSH connectivity.

 

https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214281-accessing-the-command-line-interface-cl.html

 

Thanks!

-Dennis M.

 

Will this still work in a cluster environment, or will i need to SCP into each box to populate the sender group lists?

We currently do this and you only need to connect to one of the ESAs in the cluster.

Should work in a cluster.

Changes made to the config get replicated.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: