I have been asked to audit an IronPort C300 running v6.3.5-003 to determine the IP and hostname of all systems sending email through the device. This is my first time working with an IronPort and would appreciate any suggestions on how to best do this.
The ultimate goal is to get the systems sending through it to change their settings to send to a DNS alias instead of directly to this appliance we are trying to retire. The systems sending through it should be internal to the company, but we may have external systems sending as well.
Is exporting the last 30 days in the web GUI undering monitoring for "Outgoing Senders: IP Addresses" and "Incoming Mail: IP Addresses" sufficient? Do I need both or are just the "Incoming Mail: IP Addresses" the ones I need. Is there any way to get the appliance to log more than the last 30 days.
I am not sure that the data your looking at in the GUI is going to give you a complete picture. Ideally you would want to consult the mail logs on the appliance for this type of data. All connections sucessfull or not are logged in the mail logs. This would include the source IP. There should also be host information based on the reverse lookup via DNS in the mail logs as well.
You can search the logs to gather more information about the From, To, Subject of the emails coming from this IP address that you're interested in.
The name of the log is "mail_logs". You can see this in the [System Administration > Log Subscriptions > mail_logs].
There are several ways to access these logs.
1. Via the web browser.
- Go to [System Administration > Log Subscription]. - For the mail_logs, click on the ftp link to the right of mail_logs - If it gives you an error, go to "Network -> IP interface", select the interface that you normally access to the Ironport on and turn on the FTP/port 21 service.
2. From the command line,
- Using a ssh client like Putty and log onto the command line of the Ironport appliance via port 22/ssh. - From the command line, type this to search for the IP
grep (press Enter) The # of the "mail_logs" Then enter the pattern to search, ie. 192.168.1.1 or firstname.lastname@example.org
For the next three questions, press enter and keep the defaults.
The search may take a bit of time to complete.
Once the output comes back, you can search either the ICID or the MID.
grep "ICID 123456" mail_logs
Once the output comes back, you can search for the MID
grep "MID 78901234" mail_logs
and so on.
You should be able to see the From, To, Subject from the MID You should see the IP address and the HAT Sender Group from the ICID
3. Another option is to ftp the mail_logs to a local machine(Desktop) and use your own file/text editor to search for the IP addresses.
Here is a link to some Support Portal knowledge base articles that may be of use:
We are happy to share changes to the Cisco Threat Grid support experience! Our customers have spoken, and we have listened! You want a single, streamlined, easy to access tool to open, view, and update your cases across Cisco Services. That tool is Cisco’...
Where can I find out how to integrate my Cisco products with Threat Response?
There are quick start guides and instructional videos to help you get set up with your Cisco products and the Cisco Threat Response platform.
Inviting all Security & Networking professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network and security management tools.
Click here to take the 5-minute s...
This guide is intended to show some nifty and powerful use cases that a lot of customers either want or don’t know they want. There are tons of other content out there for specific knobs or capabilities, but this is looking to be a more complete...