cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.2.0-616
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.2.0-203
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

966
Views
15
Helpful
5
Replies
sysresuem
Beginner

Why URL Filtering for Shortened URLs is not avaible in AsyncOS 14.0

Hello,

 

I want to activate URL filtering for shortened URL on AsyncOS 14.0.

This feature seems to not be avaiable in this version : 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_010000.html#id_60808

But it was in AsyncOS 13.0: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/user_guide/b_ESA_Admin_Guide_13-0/b_ESA_Admin_Guide_12_1_chapter_010000.html 

 

There is no mention of this modification in Release note of AsyncOS 14.

 

Why this fonctionnality has been removed ? 

 

Regards

 

Guillaume

1 ACCEPTED SOLUTION

Accepted Solutions

ESA expands the shortened URL for its analysis, however the end user would still receive it as a shortened URL and no modification will be applied unless of course the filter enforces defang, re-write actions.

View solution in original post

5 REPLIES 5
UdupiKrishna
Cisco Employee

Starting from 14.0.X, scanning of shortened URL(s) is enabled by default and the option to enable to explicitly is removed. I don't recollect seeing this change in behaviour documented, but yea it does work (here's a sample mail flow)

 

Wed May 11 05:02:15 2022 Info: MID 1149 ready 3327 bytes from <alex.mercer@gmail.com>

Wed May 11 05:02:15 2022 Info: MID 1149 Custom Log Entry: insert_external_header alex.mercer@gmail.com Alex Mercer <alex.mercer@gmail.com>

Wed May 11 05:02:15 2022 Info: MID 1149 matched all recipients for per-recipient policy User1 policy in the inbound table

Wed May 11 05:02:15 2022 Info: MID 1149 interim verdict using engine: SLBL spam negative

Wed May 11 05:02:15 2022 Info: MID 1149 using engine: SLBL spam negative

Wed May 11 05:02:15 2022 Info: MID 1149 interim AV verdict using Sophos CLEAN

Wed May 11 05:02:15 2022 Info: MID 1149 antivirus negative 

Wed May 11 05:02:15 2022 Info: ICID 1929 close

Wed May 11 05:02:16 2022 Info: MID 1149 AMP file reputation verdict : SKIPPED (no attachment in message)

Wed May 11 05:02:16 2022 Info: MID 1149 using engine: SLBL graymail negative

Wed May 11 05:02:17 2022 Info: MID 1149 having URL: https://bit.ly/3Bg19uM has been expanded to https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/

Wed May 11 05:02:17 2022 Info: MID 1149 having URL: https://bit.ly/amtrak-valentines has been expanded to https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://bit.ly/3Bg19uM has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/ has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://bit.ly/3Bg19uM has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/ has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

 

Current Version

===============

Product: Cisco C000V Email Security Virtual Appliance

Model: C000V

Version: 14.0.0-698

Build Date: 2021-06-14

Install Date: 2022-04-07 08:13:36

Serial #: 420B78BA327D4BC979C6-517FA335215F

BIOS: 6.00

CPUs: 1 expected, 1 allocated

Memory: 4096 MB expected, 4096 MB allocated

RAID: NA

RAID Status: Unknown

RAID Type: NA

BMC: NA

I stand corrected, the change was enforced from 13.5 - https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa13-5-1/ESA_13-5-1_Release_Notes.pdf

 

Shortened URLs Expansion
Changes
Prior to this release, you could disable the expansion of shortened URLs
using the websecurityadvancedconfig CLI command in your
appliance.
After you upgrade to this release, all shortened URLs are expanded.
There is no option to disable the expansion of shortened URLs.

 

sysresuem
Beginner

Hi

 

Thanks for reply

In fact the shortened URLs are expand by Cisco for analysis but it is always shortened URLs which are delivered to the end user.

I thank the shortened URLs are also deliver to end users in their expand version.

 

Guillaume

ESA expands the shortened URL for its analysis, however the end user would still receive it as a shortened URL and no modification will be applied unless of course the filter enforces defang, re-write actions.

Ok thanks for the precisions

Create
Recognize Your Peers
Content for Community-Ad