Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1957
Views
0
Helpful
3
Replies

vESA URL Filtering

Go to solution
pwe
Level 1
Level 1

‎07-12-2018 04:34 AM - edited ‎03-08-2019 07:39 PM

Hello,

 

I just configured URL Filtering according to this guide

 

I created a rule like this:

Condition:

url-reputation(-10.00, -6.00 , "Whitelist_Bad_URLs", 1, 1)

Actions:

log-entry("<===> BAD URL! <===>")
notify("$EnvelopeRecipients", "Mail was quarantined due to policy", "", "GeneralNotification")
quarantine("URL Filter")

 

But in my Log Files, there is only this:

 

...

12 Jul 2018 09:10:20 (GMT +02:00)     Message 348144 scanned by Anti-Virus engine. Final verdict: Negative
12 Jul 2018 09:10:20 (GMT +02:00)     Message 348144 contains attachment 'IMG-20180629-WA0006.jpg'.
12 Jul 2018 09:10:20 (GMT +02:00)     Message 348144 Custom Log Entry: <===> BAD URL! <===>
12 Jul 2018 09:10:20 (GMT +02:00)     Start message 348146 on incoming connection (ICID 0).
12 Jul 2018 09:10:20 (GMT +02:00)     A new message 348146 was generated based on message 348144 by notify filter URL-Link-Filter

...

 

On the top of the block "processing details" I have a tab with URL Details. There I can finde the information. It looks different than the instructions. As a result, my HelpDesk Users cant see the tab with the information of which URL is bad.

 

 

kind regards

Phil

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
suporte2r
Level 1
Level 1
In response to pwe

‎07-13-2018 04:26 AM

Thanks, Phil.

In that case, I recommend you to open a TAC and fill a feature request.

If you find any documentation stating the HelpDesk role should be able to
get the info about the bad URL, then it is a matter to open a TAC case and
report that as a bug.

Hope you can get to the bottom of this soon.

Cheers.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
suporte2r
Level 1
Level 1

‎07-12-2018 11:07 AM - edited ‎07-12-2018 11:08 AM

Phil,

 

I recommend you always add info like:

- version of AsyncOS you are running

- expected behavior verus the behavior you got

 

The line that shows a new MID with ICID 0 that is the message that your Cisco ESA created to do the Notification action in your filter. If you grep the MID or use Findevent in the CLI you will get more inforation.

 

Question...did you enable logging URL info? Check image attached OutbreakURLLogging.PNG

 

I am note entirely sure I understand what you are missing..perhaps you can clarify and we will be happy to assist further.

 

Regards,

-Valter

 

 

Preview file
44 KB
0 Helpful

Go to solution
pwe
Level 1
Level 1
In response to suporte2r

‎07-12-2018 11:05 PM - edited ‎07-12-2018 11:05 PM

Hello,

 

thanks for the replay.

 

Im running ESA Version 11.1.0-131 and SMA Version 11.5.0-110 with centralized logging and policies.

 

At the moment I can see the following:

esa_URL01.png

 

esa_URL02.png

 

In the best practices guide, it looks like the the content of the second tab (URL Details) should be in the first tab (Summary).

The real issue is, that the role HelpDesk cant see the URL classified as bad. They only can see the tab "Summary".

 

Yes, I checked the config and URL Logging is enabled.

 

 

kind regards

Phil

 

 

Preview file
48 KB
Preview file
10 KB
0 Helpful

Go to solution
suporte2r
Level 1
Level 1
In response to pwe

‎07-13-2018 04:26 AM

Thanks, Phil.

In that case, I recommend you to open a TAC and fill a feature request.

If you find any documentation stating the HelpDesk role should be able to
get the info about the bad URL, then it is a matter to open a TAC case and
report that as a bug.

Hope you can get to the bottom of this soon.

Cheers.

0 Helpful
Customers Also Viewed These Support Documents