Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
5
Replies

Migrating Blacklisted IPs from Forcepoint Email Gateway to Cloud ESA

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎07-25-2022 11:01 AM

Hello,

We are in the process of migrating from Forcepoint Email Gateway to Cloud ESA. Forcepoint has a blacklist which contains around 12200 IP addresses, which can be exported. When we move to the cloud ESA we are planning to quarantine these emails for Forensics purposes. I believe the option here is to use either a content filter or a message filter. HAT option is not applicable since the requirement is to quarantine the email. In the Cloud ESA is there any option to upload them as bulk?. Adding them one by one will be a real pain.

 

Thanks

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎07-25-2022 11:37 AM

Probably the easiest would be a dictionary with a content filter that checks the "Received" header (use Other Header) for a match in that list.
Depending upon where else you keep those IPs, Threat Intelligence system that has STIX/TAXII or as a DNS block list, you could use the HAT to consume those sources, and then a message filter that checks the sender group and quarantines the mail.

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Ken Stieers

‎07-25-2022 11:56 AM

Hi Ken,

Thanks a lot for your response. In the dictionary is it possible to add IP addresses?.

If it does then I will add the entries to the dictionary and then create a content filter with "other header" condition and select the header=received and point it to the dictionary I created right.

 

Thanks

 

Thanks

 

0 Helpful

Ken Stieers
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎07-25-2022 01:44 PM

Yes... the dictionary is just "text", so it will take whatever...
But I just had a thought... it might try to treat them as regex... if so, you'd have to escape all of the periods with a \
Ex. 192\.168\.1\.1
Not hard, just a find and replace... I'd do a few, and create a dummy content filter that just logs something so you can see how it goes...
You should have access to an implementation team as you migrate in, you might double check with them if they can clarify if/when the content filter engine decides something is a regex.
Ken


0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Ken Stieers

‎07-27-2022 05:35 AM

Hi Ken,

Actually the customer later decided to use only the IPs added in the last few months, which is around 200 IPs. But they need to block emails coming from these IPs and Emails going to these IPs. In the incoming content filter I saw an option called "Remote-IP" which I am planning to use for incoming emails. For outgoing emails  I cannot use the "Remote-IP" option since the description says "Was the message sent from a remote host that matches a specified IP address or Hostname?". What would be best option here?.

Thanks

 

Preview file
76 KB
0 Helpful

Ken Stieers
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎07-27-2022 06:47 AM

The reason I didn't mention Remote IP, is that from the GUI, you have to enter each one, one at a time. With a dictionary you can import a list.
For outbound the problem becomes that by the time the sending engine has the mail to send (and therefore get the IP from DNS), the mail is out of the work queue where you could do anything about it...
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents