Re: Content Filter ignores expanded URLs

aj4 · ‎06-02-2023

Hi,

unfortunately I couldn't find a solution to this, so hopefully you are able to help

In our ESA cluster (AsyncOS 14.2.2-004) we use dictionaries to quarantine mails e.g. by links contained in body or attachments.
The filter is a simple body-dictionary-match.

Recently we receive mails with links to bit.ly (which is not filtered), that are expanded by ESA to a URL that is in a dictionary.
Is there a way to also have these expanded URLs examined by the Content Filter?

(this is from message details, ohrmf.app.link would normally get filtered out)

Thanks in advance,
Amélie

Udupi Krishna. · ‎07-02-2023

URL filtering's capability to expand a shorted URL is to verify the actual's reputation or category and take actions. But it doesn't re-write the email with the expanded URL.

When a different content filter with body scanning condition looks at the email, it can only see "bit.ly" but not the expanded URL. It's behaving as expected at the moment, but I do understand your ask.

Feel free to talk to TAC and see if there are any options that can be explored here though I feel there aren't many (may be an enhancement if nothing works out)

Ken Stieers · ‎07-02-2023

I concur on the enhancement request.
Easist enhancement would be a checkbox to rewrite expanded urls as their expanded version...

tulibsalim · ‎07-04-2023

firstly, clear the caches on your web browser and flush the DNS cache on your computer. cached data or outdates DNS records can sometimes causes issues with urls expansions. after clearing the caches and try accessing the urls again to see if the content filter recognizes them correctly. Regards.

Content Filter ignores expanded URLs

FTD URL Filtering - How it works?

The FirePOWER URL filter

Configure and Verify URL Filtering

Cisco Secure Access : Application Group Filter について

Expanding Automation with FlexPod XCS