07-29-2013 05:06 PM
I'm new to Ironport and AsyncOS. Is it possible to view and perhaps edit a message filter in its entirety, that shows very clearly how the filter is constructed?
That is, I want to see something that looks like the actual code that the filter is using, not the "logical representation" of it that is all I've found in the CLI so far. I want to see the sequence of ANDs, ORs, ==, regexes and so on.
Our two appliances are clustered, so if there are some commands that I need to issue to ensure I see the cluster configuration, please specify those as well.
Solved! Go to Solution.
07-30-2013 08:16 PM
Keep in mind - that message filters are CLI only.
Please see the Advanced Guide, there is an in-detail section for message filters provided.
http://www.cisco.com/en/US/products/ps10154/products_user_guide_list.html
Content filters from the web GUI can show you the context you may be looking for.
Mail Policies -> Incoming Content Filters
Mail Policies -> Outgoing Content Filters
Content filters overview can be located in the Email Configuration Guide.
From the content filter, adding a new filter - you will be able to choose and select the conditions and actions. As you create them, based on the criteria you select, it will give you a good feel for "contains", "equals", "does not contain", "does not equal".
As for the cluster configuration. For message filters, you can view how these are set from running 'Filters', and then:
- CLUSTERSET - Set how filters are configured in a cluster.
- CLUSTERSHOW - Display how filters are configured in a cluster.
'CLUSTERSHOW' will give you the best view as to if the filters apply to machine only, or cluster:
Ex.:
filters Settings
================
Configured at mode:
Cluster: Yes
Group Main_Group: No
Machine esa_a: No
Machine esa_b: No
Here you can see that the filters will be presented to both appliances, esa_a and esa_b. So - any/all filters can be written/deleted from one appliance, and automatically carry over to the second.
Content filters will be shared across the cluster as well - unless you choose to override and write these at the machine level. You should be seeing where you are when visiting the content filters through the web GUI - as it will present the current centralized managed settings.
Other aids for you - if you haven't visited already, our External KB:
https://ironport.custhelp.com/app/answers/detail/a_id/24
Hope this aids in your question(s)!
Regards,
Robert
Content Security Technical Services - RTP, NC
Cisco Customer Interaction: 1-800-553-2447 / Outside US
07-30-2013 08:16 PM
Keep in mind - that message filters are CLI only.
Please see the Advanced Guide, there is an in-detail section for message filters provided.
http://www.cisco.com/en/US/products/ps10154/products_user_guide_list.html
Content filters from the web GUI can show you the context you may be looking for.
Mail Policies -> Incoming Content Filters
Mail Policies -> Outgoing Content Filters
Content filters overview can be located in the Email Configuration Guide.
From the content filter, adding a new filter - you will be able to choose and select the conditions and actions. As you create them, based on the criteria you select, it will give you a good feel for "contains", "equals", "does not contain", "does not equal".
As for the cluster configuration. For message filters, you can view how these are set from running 'Filters', and then:
- CLUSTERSET - Set how filters are configured in a cluster.
- CLUSTERSHOW - Display how filters are configured in a cluster.
'CLUSTERSHOW' will give you the best view as to if the filters apply to machine only, or cluster:
Ex.:
filters Settings
================
Configured at mode:
Cluster: Yes
Group Main_Group: No
Machine esa_a: No
Machine esa_b: No
Here you can see that the filters will be presented to both appliances, esa_a and esa_b. So - any/all filters can be written/deleted from one appliance, and automatically carry over to the second.
Content filters will be shared across the cluster as well - unless you choose to override and write these at the machine level. You should be seeing where you are when visiting the content filters through the web GUI - as it will present the current centralized managed settings.
Other aids for you - if you haven't visited already, our External KB:
https://ironport.custhelp.com/app/answers/detail/a_id/24
Hope this aids in your question(s)!
Regards,
Robert
Content Security Technical Services - RTP, NC
Cisco Customer Interaction: 1-800-553-2447 / Outside US
07-31-2013 12:43 AM
Thanks Robert, that's really helpful with the links and showing where it hangs together with the cluster config.
I also had another piece of the puzzle filled in by Support, showing that in the CLI, you can create a filter using quite sophisicated syntax there, which is what I couldn't quite figure out.
Choose the operation you want to perform:
- NEW - Create a new filter.
- IMPORT - Import a filter script from a file.
- CLUSTERSET - Set how filters are configured in a cluster.
- CLUSTERSHOW - Display how filters are configured in a cluster.
[]> new
Enter filter script. Enter '.' on its own line to end.
Redirect_examplehost:
if (remote-ip == "host.example.com") and (rcpt-to == "user@host.local){
bcc ("auditmailbox@host.local", "[Example]: $Subject");
drop();
}
Then obviously from there, creating the content filter to bring in the message filter is straightforward
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide