Showing results for 
Search instead for 
Did you mean: 
Community Manager

Ask the Expert: Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), and Content Security Management Appliance (SMA)

This is an opportunity to learn and ask questions about Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), and Content Security Management Appliance (SMA) with Cisco Experts: Nasir Abbas, Rehan Latif, and Frank Tao Yang.

Covering topics ranging from Ironport, SBRS, TLS / Encryption / Certificates / CRES, LDAP, workqueue, clustering, Antispam, Antivirus, Outbreak Filters, DLP, upgrading, reporting, and more.


Nasir Abbas is a customer support engineer from the Cisco Content Security team at the Cisco Technical Assistance Center in Sydney, Australia. He has more than 10 years  IT experience. And is a subject matter expert (SME) for Cisco IronPort Encryption Appliance.



Cisco ExpertsRehan Latif is Senior Customer Support Engineer for Cisco Content Security product line. He has been in networks and security business for last 17 years including 6 plus years within Cisco as Content Security Expert. Rehan holds Masters Degree in Inter-networking.


Ask your Questions during this two-week, open discussion thread!

** Remember to use the rating system to let the experts know you have received an adequate response. And encourages participation.**

Monday, February 16th through Friday, February 27th, 2015

Because of the volume expected during this event, the experts might not be able to answer every question. Remember that you can continue the conversation in the Security > Email Security community, shortly after the event. This event lasts through February 27th 2015. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.


Accepted Solutions

Hi, I have a couple of questions related to WSA.  I'm looking for more information on anti-malware scanning, and have a couple of questions about external DLP.


1)   Is the decision for whether or not content is scanned for anti-malware based entirely on reputation?  Is there any way to create policy to define which types of traffic get scanned for anti-malware?  If so, how is that done, and how flexible can the policy be defined (i.e. only content from a particular subnet is scanned)?  Is it possible to scan all traffic, and is scanning all traffic recommended?


2) With external DLP servers, can you please elaborate on the protocols and methods that are scanned for DLP?  It looks like only HTTP, HTTPS, and FTP are supported.  Which methods are scanned (PUT, GET, etc...) and with FTP, is it only scanned in the context of FTP over HTTP, or is native FTP scanned as well (Assuming it's sent to the proxy as well).  With FTP, which methods are supported (put, mput)?


3) With external DLP.  The AsyncOs User guide indicates the following: " Verify the external DLP server does not send the Web Proxy modified content. AsyncOS for Web only supports the ability to block or allow upload requests. It does not support uploading content modified by an external DLP server.

What exactly does this mean? If the external DLP server modifies the content to remove/mask sensitive information, will this not work with the WSA?  Is the WSA only looking for a block or allow response from the external DLP server?




View solution in original post


Hell Team


I.m new in this subject, and I have to develop a project with WSA, do you have any information for beginners.




Wilson Veliz

Hey Wilson,


I would recommend posting in

For assistance with your WSA :)

They'll be happy to assist there.



Hello, gentlemen! Please help me.  

My question is: -  I have to set two ESA C170 in High Availability mode hot/stdby for e-mail security. We have 600 email boxes and need to buy antispam licence for it. Please, answer do we need to buy 600 licences for each ESA C170 appliance in total 1200 or we can buy 600 licences and it could be replicated between ESA?

Hello Marat,

To get a accurate information, I would recommend contacting Cisco Sales / Cisco Partner Reseller. They can provide you further information about licence required for number of users .

Hope this Help.

Nasir Abbas

Hey Marat,


I believe this enquiry can be best answered by the Cisco Rep whom you'll be speaking to, to purchase this.


Licenses are unique to machines and are not replicated through clustering or anything of that matter, but i believe you may be able to do a license 'share' between devices if both are under your company ownership.



I apologise if this answer is not directly resolving your enquiry.




Hi Wilson,

In addition to the Matthew's response, I would recommend attending "Securing the Web with Cisco Web Security Appliance (SWSA)" course.

More information regarding the course can be found from:

Hope this will help.




Greg Hopp

Gentlemen,  I have a C170 and just got a 30 day license to trial the new AMP product.

My question concerns the issue of sending a file out for malware analysis.  The documentation states that if you don't want to send files out due to security concerns, you don't have to.  This leads me to wonder what type of treatment documents do receive during file analysis?

My firm may receive information with sensitive personal financial information (PFI) and/or PII, hence my concern.


In my trial of AMP, what I noticed is that only suspect files are sent to the cloud. a majority of them are not, as there are tests done locally to decide what is sent and what is not.

Also I found that you need to take a look at the AMP reporting once in a while to find out what malware was detected after the fact. about 90% of these end up being caught buy outbreak and spam filters anyways, but it is good to trace them done, as once in a while it makes it to the end users inbox.


Currently I'm waiting for my purchased AMP license to be processed so I can turn it back on. I had an production issue with the demo feature key when it expired, so make sure to disable it before the demo key expires.

Greg Hopp

Another question.  Documentation indicates that the following files are not evaluated: "Text/ALL, image/ALL, application/x-javascript, application/x-shockwave-flash, application/x-empty, and application/javascript."

Can you speak to why these file types are not evaluated and whether this is of much concern?  Most of are files received are PDFs and Office docs, and most malware comes in as zip content, so I'm thinking this is not considered much of a threat vector?

Thanks again,



Hi Greg,

Staring AsyncOS version 9.0 for ESA, the AMP can evaluate all office documents, executables, PDFs and files within archives.

There are some reporting and logging related enhancements as well in version 9.0. At this moment, it is still in ED (Early Deployment) phase and expected to be available to all customers within next few weeks.

If you wish to evaluate AsyncOS version 9.0, I would recommend contacting TAC to make it available for your appliances.



That's good to know.  I actually have a notice telling me it's available for me to download and upgrade.  After I activate the feature I'll go ahead and do so.






Cisco WSA vs. Fortinet FortiGate - which should we choose?

How do Cisco WSA and FortiGate compare? What are the main differences?

Hi Rizwan,


To get a comparative analysis, I would recommend contacting Cisco Sales. They can provide you comprehensive data on both products to help you choose the right one.


I hope this will help.




Paul Cardelli

Two Questions:

With AMP on ESA is there or will there be plans to integrate it with the AMP Endpoint/Network solution for more automated correlation and remediation of retrospectively detected viruses?


Are there any plans to add more flexibility to centrally manage ESAs from the SMA console in the future? (Not just reports and Quarantines).

Content for Community-Ad