06-02-2014 02:22 AM
Dear friend.
I have problem with Content Filter when configure Cisco Security Virtual Appliance.
You can see my rule on attachment picture.
But when I sent an email with subject : "RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint", it's block by Content Filter "DenySubject"
I'm sure that in my Dictionary doesn't contains any word from this Subject.
Capture 3 is captured in Policy Quarantine.
Please help me to solve it asap.
Thanks so much.
Vinh Phan
06-10-2014 08:35 PM
It is not an issue with the virtual ESA. Using my vESA, I get the same results, using your "denysubject.txt" for custom dictionary...
Tue Jun 10 22:53:37 2014 Info: ICID 96 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Jun 10 22:53:37 2014 Info: Start MID 58 ICID 96
Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 From: <robsherw.cisco@gmail.com>
Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 RID 0 To: <robsherw@cisco.com>
Tue Jun 10 22:53:37 2014 Info: MID 58 Message-ID '<756BCAF2-2883-416D-BBA2-D0997B70E8F3@gmail.com>'
Tue Jun 10 22:53:37 2014 Info: MID 58 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
Tue Jun 10 22:53:37 2014 Info: MID 58 ready 7764 bytes from <robsherw.cisco@gmail.com>
Tue Jun 10 22:53:37 2014 Info: MID 58 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Tue Jun 10 22:53:37 2014 Info: MID 58 quarantined to "Policy" (content filter:DenySubject)
Tue Jun 10 22:54:36 2014 Info: ICID 96 close
Reviewing the contents --- one line is the culprit:
[NuocVIET], 1
Remove that one entry, and the dictionary works.
Tue Jun 10 23:34:19 2014 Info: New SMTP ICID 117 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
Tue Jun 10 23:34:19 2014 Info: ICID 117 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Jun 10 23:34:19 2014 Info: Start MID 91 ICID 117
Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 From: <robsherw.cisco@gmail.com>
Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 RID 0 To: <robsherw@cisco.com>
Tue Jun 10 23:34:19 2014 Info: MID 91 Message-ID '<FE336542-50F7-433B-98AD-AF238F7FFF02@gmail.com>'
Tue Jun 10 23:34:19 2014 Info: MID 91 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
Tue Jun 10 23:34:19 2014 Info: MID 91 ready 4505 bytes from <robsherw.cisco@gmail.com>
Tue Jun 10 23:34:19 2014 Info: MID 91 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Tue Jun 10 23:34:19 2014 Info: MID 91 queued for delivery
Tue Jun 10 23:34:19 2014 Info: New SMTP DCID 39 interface 172.16.6.165 address 173.37.93.161 port 25
Tue Jun 10 23:34:19 2014 Info: DCID 39 TLS success protocol TLSv1 cipher RC4-SHA
Tue Jun 10 23:34:20 2014 Info: Delivery start DCID 39 MID 91 to RID [0]
Tue Jun 10 23:34:20 2014 Info: Message done DCID 39 MID 91 to RID [0]
Tue Jun 10 23:34:20 2014 Info: MID 91 RID [0] Response '2.0.0 s5B3YLna030140 Message accepted for delivery'
Tue Jun 10 23:34:20 2014 Info: Message finished MID 91 done
Tue Jun 10 23:34:25 2014 Info: DCID 39 close
I hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)
06-10-2014 09:11 PM
Dear Robert.
Thanks for your answer.
But I want to know why it's block.
As you see, all words in the subject doesn't match [NuocVIET] in Dictionary.
And how can you know [NuocViet] is the cause of this issue.
Vinh Phan
06-11-2014 11:46 AM
The dictionary is treating is as general python list expression. You can also \\ comment it out so the [ is read literally...
\\[NuocVIET\\], 1
-Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide