cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1410
Views
5
Helpful
11
Replies
Highlighted
Beginner

Add Multiple IPs to Senders Group

We have a Senders Group that functions as our internal relay. I have over 100 IPs I need to add to the relay. Is there a way I can import these IPs and their associated "description"? None of these IPs are in sequence, so I can't just add a 'range' to our senders group.

Any help would be appreciated!

11 REPLIES 11
Highlighted
Beginner

Hi TB i need more information

Hi TB

 

i need more information, what equipment? IPV4, osi model 2,3...etc,

Highlighted
Beginner

C670's and I'm trying to add

C670's and I'm trying to add IPv4 IP Addresses.

Highlighted
Cisco Employee

Hello Hernandez, If the

Hello Hernandez,

 

If the entries are already in the HAT table of an existing ESA then you can import it out of an existing one and completely override another ESA.

 

Else; you'll need to manually add these entries into the system via the GUI / CLI one at a time.

 

The final method for a quick importing of such is to edit the XML document of the configuration file then add all the entries. Load the configuration in so it gets binded to the ESA


This method is not supported by Cisco, but can be done if you're handy with notepad++ 


Essentially you can save the configuration to your PC with passwords unmasked.

Then when opening it in notepad++ if you locate this new sendergroup your created for your internal Relays if it has one or two entries already it'll look something like:

---

RELAYLIST:
1.1.1.2
1.1.1.1
        $RELAYED

---

 

You can in additional entries on the notepad++ to keep with the format and load the configuration.

 

RELAYLIST:
1.1.1.2
1.1.1.1
1.1.1.2 (test add)
10.10.10.3 (test add2)
10.123.123.1 (testadd3)
        $RELAYED
 
 
Once done, save the configuration to your PC.
And load it back into the ESA and it will appear in the GUI.
 
Regards,
Matthew
Highlighted
Beginner

It looks like using the

It looks like using the WinSCP utility works for this kind of task. However, that only allowed me to edit the XML file of 1 Sender Group, in 1 appliance. We have multiple appliances and when I try to run a search for one of these IPs in the Host Access Table (that I added via XML), I can't it. Of course, I have to view these Sender Groups in "Cluster Mode" and I don't know how to view the HAT of just one appliance. 

Clear as mud? Probably not.

Highlighted
Cisco Employee

Hello TB, As your devices are

Hello TB,

 

As your devices are in a cluster then loading the configuration may not have worked exactly.

If you're on a later release (i believe version 8.5.6) then you should be able to save your cluster level configuration out.


Make this XML edit.

Then load it back into the cluster groups to override all cluster configuration with this updated one.

If your clustered devices are separated into individual groups then you may need to do it once for each group and ensure it gets assigned to the right group when loading so the other groups do not get impacted.

Sendergroups should not be restricted to one machine unless the machine was overriding the cluster level configuration at the start.

Highlighted
Beginner

You can do it with a script.

You can do it with a script. I previously managed 30+ appliances before clustering was available so scripting became the way to go.

The most flexible way is to use Expect, but you can also use batch commands. The secret is that you need to do a commit before the SSH session ends or all of the changes will be lost.

 

Here's what you need to do. Create a text file with one line for each IP address that looks like this - change LISTENERNAME and SENDERGROUP to match your setup. Use whatever tool suits you.

listenerconfig edit LISTENERNAME hostaccess edit SenderGroup SENDERGROUPNAME new 1.1.1.1/32

 

Then, once you have a text file with all the commands, add two lines to the end.

commit SOMEREASON

exit

 

Then execute it like so:

ssh -tt USER@HOST < YOURSCRIPT

 

And...Voila!

 

P.S. You can't enter descriptions when you add entries from the CLI

Highlighted
Beginner

Re: Add Multiple IPs to Senders Group

its 2019 and they still have not created a simple way to add multiple domains or IPs to a sender list. 

I have cloud email security, I cannot access the CLI or SFTP. so non of these methods help me......

Highlighted
Cisco Employee

Re: Add Multiple IPs to Senders Group

Hello,

 

You have access to the CLI but it first has to be configured. Once configured, you can push/pull items from the configuration directory using SCP. 

 

There is a tech zone on how-to setup the CLI access. Though, you would first need to reach out to TAC and provide a public key for SSH connectivity.

 

https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214281-accessing-the-command-line-interface-cl.html

 

Thanks!

-Dennis M.

 

Highlighted
Beginner

Re: Add Multiple IPs to Senders Group

Will this still work in a cluster environment, or will i need to SCP into each box to populate the sender group lists?

Highlighted
Beginner

Re: Add Multiple IPs to Senders Group

We currently do this and you only need to connect to one of the ESAs in the cluster.
Highlighted
Engager

Re: Add Multiple IPs to Senders Group

Should work in a cluster.

Changes made to the config get replicated.