We have a Senders Group that functions as our internal relay. I have over 100 IPs I need to add to the relay. Is there a way I can import these IPs and their associated "description"? None of these IPs are in sequence, so I can't just add a 'range' to our senders group.
Any help would be appreciated!
If the entries are already in the HAT table of an existing ESA then you can import it out of an existing one and completely override another ESA.
Else; you'll need to manually add these entries into the system via the GUI / CLI one at a time.
The final method for a quick importing of such is to edit the XML document of the configuration file then add all the entries. Load the configuration in so it gets binded to the ESA
This method is not supported by Cisco, but can be done if you're handy with notepad++
Essentially you can save the configuration to your PC with passwords unmasked.
Then when opening it in notepad++ if you locate this new sendergroup your created for your internal Relays if it has one or two entries already it'll look something like:
You can in additional entries on the notepad++ to keep with the format and load the configuration.
It looks like using the WinSCP utility works for this kind of task. However, that only allowed me to edit the XML file of 1 Sender Group, in 1 appliance. We have multiple appliances and when I try to run a search for one of these IPs in the Host Access Table (that I added via XML), I can't it. Of course, I have to view these Sender Groups in "Cluster Mode" and I don't know how to view the HAT of just one appliance.
Clear as mud? Probably not.
As your devices are in a cluster then loading the configuration may not have worked exactly.
If you're on a later release (i believe version 8.5.6) then you should be able to save your cluster level configuration out.
Make this XML edit.
Then load it back into the cluster groups to override all cluster configuration with this updated one.
If your clustered devices are separated into individual groups then you may need to do it once for each group and ensure it gets assigned to the right group when loading so the other groups do not get impacted.
Sendergroups should not be restricted to one machine unless the machine was overriding the cluster level configuration at the start.
You can do it with a script. I previously managed 30+ appliances before clustering was available so scripting became the way to go.
The most flexible way is to use Expect, but you can also use batch commands. The secret is that you need to do a commit before the SSH session ends or all of the changes will be lost.
Here's what you need to do. Create a text file with one line for each IP address that looks like this - change LISTENERNAME and SENDERGROUP to match your setup. Use whatever tool suits you.
listenerconfig edit LISTENERNAME hostaccess edit SenderGroup SENDERGROUPNAME new 220.127.116.11/32
Then, once you have a text file with all the commands, add two lines to the end.
Then execute it like so:
ssh -tt USER@HOST < YOURSCRIPT
P.S. You can't enter descriptions when you add entries from the CLI
its 2019 and they still have not created a simple way to add multiple domains or IPs to a sender list.
I have cloud email security, I cannot access the CLI or SFTP. so non of these methods help me......
You have access to the CLI but it first has to be configured. Once configured, you can push/pull items from the configuration directory using SCP.
There is a tech zone on how-to setup the CLI access. Though, you would first need to reach out to TAC and provide a public key for SSH connectivity.