Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Bob Fayne
Stats
Member since
07-05-2012
62
Posts
8
Helpful
8
Solutions
07-09-2015
08:08 AM
The ESA will stack/buffer commands issued to the CLI to a certain extent. Try this. Open a notepad or some other text editor. Enter your commands commit somereason shutdown 60 Make sure there is a carriage return after the shutdown command (hit Enter after 60). Copy this to the clipboard and paste it to the CLI. I tested it with reboot and it seemed to work but YMMV.
... View more
07-09-2015
07:35 AM
This sounds like a situation where you might want to demand a hotfix. Get the Bug ID from TAC and escalate through your sales channel.
... View more
07-09-2015
07:24 AM
No email for you, 1 hour! You can change that time on a global basis with the Injection Counters Reset Period. From the GUI you can get to the setting under Network and from the CLI it's under listenerconfig/setup. Network->Listeners->Edit Global Settings Bear in mind that because this is a global setting it also changes the HAT rate limiting from messages per hour to messages per xxx time. You can set anything from 1 minute to 4 hours. The main purpose according to docs is to allow high-volume receivers to shorten the time to avoid performance issues. This infers that too high of a setting can(will) introduce performance issues, particularly with memory so I don't recommend setting it much higher than an hour.
... View more
07-08-2015
12:25 PM
AMP is a closer match to Outbreak Filters than Signature-based AV like Sophos but it uses a lot more information to make decisions.
... View more
07-08-2015
12:13 PM
You can do it with a script. I previously managed 30+ appliances before clustering was available so scripting became the way to go. The most flexible way is to use Expect, but you can also use batch commands. The secret is that you need to do a commit before the SSH session ends or all of the changes will be lost. Here's what you need to do. Create a text file with one line for each IP address that looks like this - change LISTENERNAME and SENDERGROUP to match your setup. Use whatever tool suits you. listenerconfig edit LISTENERNAME hostaccess edit SenderGroup SENDERGROUPNAME new 1.1.1.1/32 Then, once you have a text file with all the commands, add two lines to the end. commit SOMEREASON exit Then execute it like so: ssh -tt USER@HOST < YOURSCRIPT And...Voila! P.S. You can't enter descriptions when you add entries from the CLI
... View more
05-22-2015
02:48 PM
Best practice is to use two physical interfaces. Have the interface for your public listener in the DMZ and the interface for your private listener inside the firewall. The ESA is by definition a security appliance and will not allow direct communications between networks as it is all SMTP store & forward. Then when you create a Mail Flow Policy for the Private Listener, use Relay for the connection behavior.
... View more
05-22-2015
02:41 PM
Yes, you can export and import the HAT from the command line. The basic command looks like this, using "batch mode". I used to do it with a cron script before centralized management was available. listenerconfig edit NAME_OF_LISTENER hostaccess export/import FILENAME The file ends up in the "configuration" directory. You can also do it from the normal CLI menu system by entering the commands one at a time. More info can be found here: http://www.cisco.com/c/en/us/support/security/email-security-appliance/products-command-reference-list.html
... View more
05-22-2015
02:23 PM
Sorry, but this is not possible unless you have an M-series appliance to do it for you. The message tracking data is stored in a database so you would have to do it as a database merge (upsert) with a dbms application that could read and write to the db rather than doing it at a file level. In addition, the file system where that db is stored is not accessible to the end user so you can't get to it anyway. If you had an M-series appliance, you could just point the new appliance to the M-series and the tracking would be automatically combined when you did searches.
... View more
04-28-2015
10:49 AM
Take a good look at the Virtual Appliance (ESAV). That will allow you to add more horsepower as needed without buying an entire new appliance.
... View more
04-28-2015
10:47 AM
Take a good look at the Virtual Appliance (ESAV). That will allow you to add more horsepower as needed without buying an entire new appliance.
... View more
03-27-2015
06:15 AM
This document is a bit basic but it's a good place to start. Basing an installation on documented design principles is often the best way to handle audits. http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf Definitely leaving most settings at the default until you have a specific reason to make a change. The defaults have been carefully chosen to be a good "average" setup.
... View more
03-25-2015
10:59 AM
The short answer is no, there is no feature to do that. Once messages land in the workqueue, they are scanned FIFO (First in-First Out). If your appliance actually has 5,000 messages in the workqueue, it is wildly overloaded and is probably either in resource conservation throttling or very close to it. Once you hit resource conservation the ESA will start to throttle acceptance for all recipients on a global basis so there is no way to specify priority for one specific email address. In addition, this would cause the ESA to waste time and cpu scanning messages in the workqueue twice. It would have to immediately check new messages for a match and if no match, go back to working on clearing the workqueue. When you have an appliance already overtaxed, any extra work can be a big issue. Sounds like you might need a beeger bawx. :)
... View more
03-02-2015
08:44 AM
There are three SMTP commands that apply here. VRFY - not implemented by ESA. ESA will respond "250 ok" to everything EXPN - not implemented by ESA. ESA always responds "500 command not recognized" RCPT - can't be "disabled" as there is no other way to specify envelope recipients. I would recommend that you set up LDAP Accept and DHAP (Directory Harvest Attack Prevention). That will allow the ESA to stop dictionary attacks. Once too many bad recipients have been tried the appliance will reject all recipients from that IP address for an hour. DHAP is normally best set up to function during the SMTP conversation and to drop connections. If you enable it during the work queue your appliance can get bogged down with undeliverable outgoing messages from all the bounces. Dropping the connection can help with botnets since they usually don't waste time by re-queuing messages to be tried later.
... View more
03-02-2015
08:22 AM
You can also filter on a Reply-To with content filters, just use the "Other Header" condition and specify Reply-To as the Header Name. As for effectiveness, I think you'll find that Reply-To is not that great to filter on unless there are some specific strings that you want to look for. There are a lot of legit reasons for a Reply-To header to exist so filtering on just the fact that it is there will drive up your false positive rate.
... View more
07-09-2015
The ESA will stack/buffer commands issued to the CLI to a certain
extent. Try this. Open a notepad o...
07-09-2015
This sounds like a situation where you might want to demand a hotfix.
Get the Bug ID from TAC and es...
07-09-2015
No email for you, 1 hour!You can change that time on a global basis with
the Injection Counters Rese...
07-08-2015
AMP is a closer match to Outbreak Filters than Signature-based AV like
Sophos but it uses a lot more...
07-08-2015
You can do it with a script. I previously managed 30+ appliances before
clustering was available so ...
05-22-2015
Best practice is to use two physical interfaces. Have the interface for
your public listener in the ...
05-22-2015
Yes, you can export and import the HAT from the command line. The basic
command looks like this, usi...
05-22-2015
Sorry, but this is not possible unless you have an M-series appliance to
do it for you.The message t...
04-28-2015
Take a good look at the Virtual Appliance (ESAV). That will allow you to
add more horsepower as need...
04-28-2015
Take a good look at the Virtual Appliance (ESAV). That will allow you to
add more horsepower as need...
03-27-2015
This document is a bit basic but it's a good place to start. Basing an
installation on documented de...
03-25-2015
The short answer is no, there is no feature to do that. Once messages
land in the workqueue, they ar...
03-02-2015
There are three SMTP commands that apply here. VRFY - not implemented by
ESA. ESA will respond "250 ...
Public Statistics
| Date Registered | 07-05-2012 07:47 AM |
| Date Last Visited | 08-18-2017 03:56 AM |
| Total Messages Posted | 62 |
| Total Helpful Votes Received | 8 |
