Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1095
Views
0
Helpful
1
Replies

How To Add/Edit Content filters on C160 ESA

Dave Gimbert
Level 1
Level 1

‎06-04-2015 08:08 AM

We have an outgoing content filter which uses the internal *credit rule on attachment-content to block sending out credit card details.

We get a lot of false positives and want to improve the rule.

I am struggling to fathom out how to modify the rules.   I have downloaded the AsyncOS 8.5.6 ref manual and from the best I can determine I need to add a filter rule using the CLI.

When I enter the CLI through telnet, and enter filters, I only have options for new and import.  The existing filters that I see in the GUI do not appear.  I tried creating a new one through the CLI using the examples given in the manual (in this test case, the postmaster copy), and committed the change, but was unable to see the new filter anywhere in the GUI to allow me to manipulate it.

Am I mis-understanding what GUI Content-Filters and CLI filters are?

If I expand the outgoing filter for our credit cards and represent the rule I see

Block_outgoing_credit_cards: if (attachment-contains("*credit", 1)) { notify-copy ("$EnvelopeSender", "$Subject", "", "Credit_Card"); notify-copy ("someone@somewhere.com", "$Subject", "", "Credit_Card"); quarantine("Credit_Debit_Cards"); }

This looks like the type of thing the CLI references should be.  But there appears to be no way to edit this line in the GUI without clicking on the filter name which only gives me add conditions and add actions, which appears to limited. 

I want to add to this rule a case where if attachment also contains the word IBAN then left it through (so I guess a IF (attachment-contains("*credit",1) AND NOT attachment-contain("IBAN",1) { notify copy; quarantine....}

However I think from reading the manual that I can not use an internal class like *credit and join with another free text type, but that is a separate issue.  How do I edit any existing rules anyway?

Appreciate any pointers.

Regards

Jason

 

Labels:
0 Helpful
1 Reply 1

michael.hesse
Level 1
Level 1

‎06-04-2015 09:35 AM

Hi Jason,

 

the ESA has two different sorts of filters : message-filters and content-filters.

The message filters are placed in the Beginnning of the work-queue  and the only way to configure is in the CLI. Message filters are also working on the whole mail message, so any action you do with a message-filter affects the mail-message and all recipients.

 

Content filters works a bit later in the queue, are bound to incoming or outgouing mail policies and are editable through the WUI and the CLI. in contrary to message filters do content filter work on a recipient basis, so a mail with more than one recipient may trigger a content filter for one reipient but not for the second.

To create and edit these filters in the CLI you have to issue the "editpolicy" command first, then decide in which direction your policy and filters should work  and then you can access the "filters" (these are the content filter!) sublevel.

Hope this helps a bit.

 

Regards

Michael

P.S. The message filter are described in chapter 9 of the user guide, content filter in chapter 11. 

I recommend also reading chapter 4 (Understanding the email pipeline).

0 Helpful
Customers Also Viewed These Support Documents