07-12-2021 08:52 AM
Hi Team,
Is it possible intermittent were occur for SBRS setup in ESA?
07-21-2021 11:18 PM
Hey M.Aswad,
Intermittent issues can occur for SBRS if it's for a new IP we haven't looked up yet and not cached; and there is a delay within DNS to resolve the SBRS score.
SBRS scores are retrieved in the DNS Lookup at the time of connection - so delays here can impact the SBRS score verdicts and you can get intermittent unable to retrieve.
If it's happening on ALL connections - then we have an issue there that needs to be looked at.
Thanks,
Mathew
10-04-2021 11:58 PM
Hi Matthew,
Thanks for the explanation on the SBRS, however as per checking on the SBRS Score in message details, I can see the email was hit HAT Overview -> UNKNOWNLIST and the SBRS Score shows that unable to retrieve ..... do you have any suggestion for me to further checking on this issue.
Thanks,
Aswad
10-05-2021 03:55 PM
Hey Aswad,
Unable to retrieve could be numerous potential issues.
First thing i would suggest is make sure SBRS is able to connect to senderbase side -> telnet phonehome.senderbase.org 443
If this works, then we can move to the next step.
Depending on version (before 13.x i believe) use repengstatus and make sure it's available; if you're on a latter version use talosstatus on the CLI and make sure ip reputation client is updated.
If either are not updated; repengupdate force or talosupdate force
After which do a grep "SBRS" -t mail_logs and see if it improves or results are working now.
If it's still failing after these checks - i would encourage you to open a TAC case for deep rooted troubleshooting.
Thanks,
Mathew
10-07-2021 09:11 AM
Hi Mathew,
Noted your advice to check before opening a TAC case. I want to verify that " phonehome.senderbase.org " is not hosted by Cisco right?
Currently, we just only allow URLs on this website " https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_appendix_0101111.html#Cisco_Concept.dita_4423beca-f7e2-41ed-9123-4a9c838bb754 " and seems that this URL " phonehome.senderbase.org " is not included.
Thanks
Aswad
10-07-2021 01:05 PM
10-07-2021 11:56 PM
Hi Ken Stieers,
May I know if this PDF is correct " https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_11_1_appendix_0101111.pdf " related to the phonehome.senderbase.org. Since I cannot proceed with this solution if there is no KB from Cisco.
Currently, we did not allow this URL for now.
Thanks,
Aswad
10-08-2021 06:10 AM
I just checked the doc.
Page 3 in that doc, third entry on that page... phonehome.senderbase.org is listed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: