Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1497
Views
15
Helpful
5
Replies

Why URL Filtering for Shortened URLs is not avaible in AsyncOS 14.0

Go to solution
sysresuem
Level 1
Level 1

‎05-10-2022 12:39 AM

Hello,

 

I want to activate URL filtering for shortened URL on AsyncOS 14.0.

This feature seems to not be avaiable in this version : 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_010000.html#id_60808

But it was in AsyncOS 13.0: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/user_guide/b_ESA_Admin_Guide_13-0/b_ESA_Admin_Guide_12_1_chapter_010000.html 

 

There is no mention of this modification in Release note of AsyncOS 14.

 

Why this fonctionnality has been removed ? 

 

Regards

 

Guillaume

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to sysresuem

‎05-11-2022 12:53 AM

ESA expands the shortened URL for its analysis, however the end user would still receive it as a shortened URL and no modification will be applied unless of course the filter enforces defang, re-write actions.

View solution in original post

5 Replies 5

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎05-10-2022 10:40 PM

Starting from 14.0.X, scanning of shortened URL(s) is enabled by default and the option to enable to explicitly is removed. I don't recollect seeing this change in behaviour documented, but yea it does work (here's a sample mail flow)

 

Wed May 11 05:02:15 2022 Info: MID 1149 ready 3327 bytes from <alex.mercer@gmail.com>

Wed May 11 05:02:15 2022 Info: MID 1149 Custom Log Entry: insert_external_header alex.mercer@gmail.com Alex Mercer <alex.mercer@gmail.com>

Wed May 11 05:02:15 2022 Info: MID 1149 matched all recipients for per-recipient policy User1 policy in the inbound table

Wed May 11 05:02:15 2022 Info: MID 1149 interim verdict using engine: SLBL spam negative

Wed May 11 05:02:15 2022 Info: MID 1149 using engine: SLBL spam negative

Wed May 11 05:02:15 2022 Info: MID 1149 interim AV verdict using Sophos CLEAN

Wed May 11 05:02:15 2022 Info: MID 1149 antivirus negative 

Wed May 11 05:02:15 2022 Info: ICID 1929 close

Wed May 11 05:02:16 2022 Info: MID 1149 AMP file reputation verdict : SKIPPED (no attachment in message)

Wed May 11 05:02:16 2022 Info: MID 1149 using engine: SLBL graymail negative

Wed May 11 05:02:17 2022 Info: MID 1149 having URL: https://bit.ly/3Bg19uM has been expanded to https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/

Wed May 11 05:02:17 2022 Info: MID 1149 having URL: https://bit.ly/amtrak-valentines has been expanded to https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://bit.ly/3Bg19uM has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/ has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://bit.ly/3Bg19uM has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

Wed May 11 05:02:19 2022 Info: MID 1149 URL https://www.usatoday.com/story/travel/2022/02/10/amtrak-deal-valentines-offer-sale/6741296001/ has reputation 6.5 matched Action: URL redirected to Cisco Security proxy

 

Current Version

===============

Product: Cisco C000V Email Security Virtual Appliance

Model: C000V

Version: 14.0.0-698

Build Date: 2021-06-14

Install Date: 2022-04-07 08:13:36

Serial #: 420B78BA327D4BC979C6-517FA335215F

BIOS: 6.00

CPUs: 1 expected, 1 allocated

Memory: 4096 MB expected, 4096 MB allocated

RAID: NA

RAID Status: Unknown

RAID Type: NA

BMC: NA

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to UdupiKrishna

‎05-10-2022 10:48 PM

I stand corrected, the change was enforced from 13.5 - https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa13-5-1/ESA_13-5-1_Release_Notes.pdf

 

Shortened URLs Expansion
Changes
Prior to this release, you could disable the expansion of shortened URLs
using the websecurityadvancedconfig CLI command in your
appliance.
After you upgrade to this release, all shortened URLs are expanded.
There is no option to disable the expansion of shortened URLs.

 

Go to solution
sysresuem
Level 1
Level 1

‎05-10-2022 11:07 PM

Hi

 

Thanks for reply

In fact the shortened URLs are expand by Cisco for analysis but it is always shortened URLs which are delivered to the end user.

I thank the shortened URLs are also deliver to end users in their expand version.

 

Guillaume

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to sysresuem

‎05-11-2022 12:53 AM

ESA expands the shortened URL for its analysis, however the end user would still receive it as a shortened URL and no modification will be applied unless of course the filter enforces defang, re-write actions.

Go to solution
sysresuem
Level 1
Level 1
In response to UdupiKrishna

‎05-12-2022 12:58 PM

Ok thanks for the precisions

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents