Solved: ESA how to add incoming content filters using the CLI

alexis2018 · ‎03-02-2018

Hello,

I'm getting alot (30 per day) of tickets asking me to add conditions to an already existing filter. I would like to speed things up using the CLI instead of the Web interface.

So the command should do the following:

1.From an ESA device I must choose the "cluster mode"

2."Mail Policies"

3."Incoming Content Filters"

4.Then choose the "Filter Name"

5."Add Condition"

6."Envelope Sender Contains @yahoo.com or name@yahoo.com or Envelope Sender "Equals" john@yahoo.com"

7. Add 1 of those conditions

8.Then Apply those conditions

8.Commit Changes

9.The Actions is to Drop

10. Then writing a Comment referencing a ticket number.

This will be much appreciated

alexis

Mathew Huynh · ‎03-07-2018

Hello Alexis,

For that circumstance, perhaps a message filter option might be better than using content filters.
Content filters will just require you to follow prompts but the regex for this should be when the content filter prompt asks:
@yahoo\\.com

Otherwise if you're using message filter, you can edit the filter via a text editor and just paste it into the command.

CLI > filters > new
Here you paste the entire filter syntax (as you cannot edit, you edit your filter on your text editor, delete the old and put in the new) - the below will only apply for emails coming inbound to your ESA. IE: Not matching RELAYLIST (assuming you have relaylist as your outbound flow). Message filters applies to both directions of email unless specified on the filter.

Drop_Yahoo_sender:
if (sendergroup !="RELAYLIST")
{
if (mail-from =="(?i)@yahoo\\.com")
{
drop();
}
}
.

Then when you want to add more senders...
Drop_senders:
if (sendergroup !="RELAYLIST")
{
if (mail-from =="(?i)@(yahoo\\.com|gmail\\.com|cisco\\.com|helpus\\.org|sidemail\\.net)")
{
drop();
}
}
.

Regards,
Matthew

View solution in original post

Mathew Huynh · ‎03-02-2018

Hello Alexis,

It is from my experience that adding it via the GUI is generally quicker than CLI for content filters.

But essentially the output would be something like...

CLI > "policyconfig"

choose incoming or outgoing...

type "filters"

This shows you the list, you need to edit an existing filter by locating the number assigned to the associated filter.

Then add a condition (you must use regex to define if it's contains, equals, not equals, ends with etc), there's no option to select otherwise.

After which you will see the condition and if you're happy you need to press enter when you're happy with the filter.

Press enter once more and then commit.

(If you need to activate this filter on specific policies, then you need to edit at the policyconfig level again) and it gets a bit more complex than the GUI.

Another option you can consider is: if your content filter is not complex on syntax and you just need to add for example senders to an envelope sender condition to drop, you could use a dictionary instead - where you will only need to add new terms to this dictionary without having to edit your contnet filter.

Otherwise the option of a message filter could be better suited (only configurable in the CLI) if you know the syntax and regex, message filters are not editable, you need to delete and remake the filter if there is any new additions.

Regards,

matthew

alexis2018 · ‎03-07-2018

ok....so for such a repetitive task that i do every day I would very much like to use the CLI.

I'm very bad at REGEX and this is why I'm posting here. How doe one accomplish

the following:

block all "Envelope Senders" that contain "@yahoo.com"then DROP

Mathew Huynh · ‎03-07-2018

Hello Alexis,

For that circumstance, perhaps a message filter option might be better than using content filters.
Content filters will just require you to follow prompts but the regex for this should be when the content filter prompt asks:
@yahoo\\.com

Otherwise if you're using message filter, you can edit the filter via a text editor and just paste it into the command.

CLI > filters > new
Here you paste the entire filter syntax (as you cannot edit, you edit your filter on your text editor, delete the old and put in the new) - the below will only apply for emails coming inbound to your ESA. IE: Not matching RELAYLIST (assuming you have relaylist as your outbound flow). Message filters applies to both directions of email unless specified on the filter.

Drop_Yahoo_sender:
if (sendergroup !="RELAYLIST")
{
if (mail-from =="(?i)@yahoo\\.com")
{
drop();
}
}
.

Then when you want to add more senders...
Drop_senders:
if (sendergroup !="RELAYLIST")
{
if (mail-from =="(?i)@(yahoo\\.com|gmail\\.com|cisco\\.com|helpus\\.org|sidemail\\.net)")
{
drop();
}
}
.

Regards,
Matthew