Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3606
Views
0
Helpful
2
Replies

Viewing message filters "raw"

Go to solution
T Mac
Level 1
Level 1

‎07-29-2013 05:06 PM

I'm new to Ironport and AsyncOS. Is it possible to view and perhaps edit a message filter in its entirety, that shows very clearly how the filter is constructed?

That is, I want to see something that looks like the actual code that the filter is using, not the "logical representation" of it that is all I've found in the CLI so far. I want to see the sequence of ANDs, ORs, ==, regexes and so on.

Our two appliances are clustered, so if there are some commands that I need to issue to ensure I see the cluster configuration, please specify those as well.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎07-30-2013 08:16 PM

Keep in mind - that message filters are CLI only.

Please see the Advanced Guide, there is an in-detail section for message filters provided.

http://www.cisco.com/en/US/products/ps10154/products_user_guide_list.html

Content filters from the web GUI can show you the context you may be looking for.

Mail Policies -> Incoming Content Filters

Mail Policies -> Outgoing Content Filters

Content filters overview can be located in the Email Configuration Guide.

From the content filter, adding a new filter - you will be able to choose and select the conditions and actions.  As you create them, based on the criteria you select, it will give you a good feel for "contains", "equals", "does not contain", "does not equal".

As for the cluster configuration.  For message filters, you can view how these are set from running 'Filters', and then:

- CLUSTERSET - Set how filters are configured in a cluster.

- CLUSTERSHOW - Display how filters are configured in a cluster.

'CLUSTERSHOW' will give you the best view as to if the filters apply to machine only, or cluster:

Ex.:

filters Settings

================

Configured at mode:

Cluster: Yes

Group Main_Group: No

Machine esa_a: No

Machine esa_b: No

Here you can see that the filters will be presented to both appliances, esa_a and esa_b.  So - any/all filters can be written/deleted from one appliance, and automatically carry over to the second.

Content filters will be shared across the cluster as well - unless you choose to override and write these at the machine level.  You should be seeing where you are when visiting the content filters through the web GUI - as it will present the current centralized managed settings.

Other aids for you - if you haven't visited already, our External KB:

https://ironport.custhelp.com/app/answers/detail/a_id/24

Hope this aids in your question(s)!

Regards,

Robert

Content Security Technical Services - RTP, NC

Cisco Customer Interaction: 1-800-553-2447 / Outside US

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎07-30-2013 08:16 PM

Keep in mind - that message filters are CLI only.

Please see the Advanced Guide, there is an in-detail section for message filters provided.

http://www.cisco.com/en/US/products/ps10154/products_user_guide_list.html

Content filters from the web GUI can show you the context you may be looking for.

Mail Policies -> Incoming Content Filters

Mail Policies -> Outgoing Content Filters

Content filters overview can be located in the Email Configuration Guide.

From the content filter, adding a new filter - you will be able to choose and select the conditions and actions.  As you create them, based on the criteria you select, it will give you a good feel for "contains", "equals", "does not contain", "does not equal".

As for the cluster configuration.  For message filters, you can view how these are set from running 'Filters', and then:

- CLUSTERSET - Set how filters are configured in a cluster.

- CLUSTERSHOW - Display how filters are configured in a cluster.

'CLUSTERSHOW' will give you the best view as to if the filters apply to machine only, or cluster:

Ex.:

filters Settings

================

Configured at mode:

Cluster: Yes

Group Main_Group: No

Machine esa_a: No

Machine esa_b: No

Here you can see that the filters will be presented to both appliances, esa_a and esa_b.  So - any/all filters can be written/deleted from one appliance, and automatically carry over to the second.

Content filters will be shared across the cluster as well - unless you choose to override and write these at the machine level.  You should be seeing where you are when visiting the content filters through the web GUI - as it will present the current centralized managed settings.

Other aids for you - if you haven't visited already, our External KB:

https://ironport.custhelp.com/app/answers/detail/a_id/24

Hope this aids in your question(s)!

Regards,

Robert

Content Security Technical Services - RTP, NC

Cisco Customer Interaction: 1-800-553-2447 / Outside US

Cheers,
Robert Sherwin
0 Helpful

Go to solution
T Mac
Level 1
Level 1
In response to Robert Sherwin

‎07-31-2013 12:43 AM

Thanks Robert, that's really helpful with the links and showing where it hangs together with the cluster config.

I also had another piece of the puzzle filled in by Support, showing that in the CLI, you can create a filter using quite sophisicated syntax there, which is what I couldn't quite figure out.

Choose the operation you want to perform:

- NEW - Create a new filter.

- IMPORT - Import a filter script from a file.

- CLUSTERSET - Set how filters are configured in a cluster.

- CLUSTERSHOW - Display how filters are configured in a cluster.

[]> new

Enter filter script.  Enter '.' on its own line to end.

Redirect_examplehost:

if (remote-ip == "host.example.com") and (rcpt-to == "user@host.local){

bcc ("auditmailbox@host.local", "[Example]: $Subject");

drop();                                                                                                         

}

Then obviously from there, creating the content filter to bring in the message filter is straightforward

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents