Solved: Ask the Expert: Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), and Content Secu... - Page 3

ciscomoderator · ‎02-09-2015

This is an opportunity to learn and ask questions about Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), and Content Security Management Appliance (SMA) with Cisco Experts: Nasir Abbas, Rehan Latif, and Frank Tao Yang.

Covering topics ranging from Ironport, SBRS, TLS / Encryption / Certificates / CRES, LDAP, workqueue, clustering, Antispam, Antivirus, Outbreak Filters, DLP, upgrading, reporting, and more.

Nasir Abbas is a customer support engineer from the Cisco Content Security team at the Cisco Technical Assistance Center in Sydney, Australia. He has more than 10 years IT experience. And is a subject matter expert (SME) for Cisco IronPort Encryption Appliance.

Rehan Latif is Senior Customer Support Engineer for Cisco Content Security product line. He has been in networks and security business for last 17 years including 6 plus years within Cisco as Content Security Expert. Rehan holds Masters Degree in Inter-networking.

Ask your Questions during this two-week, open discussion thread!

** Remember to use the rating system to let the experts know you have received an adequate response. And encourages participation.**

Monday, February 16th through Friday, February 27th, 2015

Because of the volume expected during this event, the experts might not be able to answer every question. Remember that you can continue the conversation in the Security > Email Security community, shortly after the event. This event lasts through February 27th 2015. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

Mathew Huynh · ‎02-27-2015

Hello Paul,

That is correct with your understanding and to build onto it further :)

The pipeline on the ESA would be for filtering;

SBRS filtering at HAT overview/Connection level (removes a large portion of spam)

Message filtering (if you're using them)

Anti-spam scanning (emails are more likely to be caught under spam scanning as the volume of traffic globally is mainly spam behaviour, so having spam take action first to remove a large portion will reserve CPU and memory -- NOTE: There is an IMS feature that uses both Cloudmark + IPAS for further efficiency)

Anti virus engine (Sophos/McAfee)

AMP (Cisco SourceFire/AMP team)

Content filter scanning (Custom filters) --> Utilizing URL filtering can assist with matching emails with URLs within it with our WBRS sensors.

Outbreak Filters (Cisco Virus outbreak team manages the rules)

Keeping in mind, you also have RAT table checking, LDAP/SMTP call-ahead if incorporated can remove a lot of invalid emails, DHAP in place, SPF/DMARC that can be incorporated where actions taken on content filter.

Inderpal Oberoi · ‎07-29-2022

Hello Everyone,

Customer wants to update client teams via their proxies. What is best way of doing it ?
1) Enabling https cache...
2) AVC with Range Request Forward ...

Device perfomance is the Key factor... RRF if enabled will provide bandwidth optimization...but it has its limitation to as shared below:
It needs to be enabled locally on the box. And if this box is managed by SMA, then we don't have RRF feature available on it. Any policies pushed through SMA will override the RRF setting enabled locally on the WSA box. Software defect shared below:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo66335

Will https caching will serve the purpose ? Decrypting and Encrypting the contents does consume alot of resources ?
Should we create policies in such a way, that we only decrypt the websites which are required and rest can be passthrough?

Please advice...

Ask the Expert: Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), and Content Security Management Appliance (SMA)