Hey Graham, From the ESAs current software it looks to be supporting that log for syslog as you shared, with regards of a workaround to try to get syslog going there is nothing that comes to mind. There was an enhancement request for this made available sometime back: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCzv43325 currently still under review. Regards, Mathew ... View more

@Ccns90  This is my first recommendation as well. Content filters works off an ordering - ensure you set the URL filtering below ETF and re-do your test to verify results. If the URL filtering is already taking action then it leaves nothing for the ETF feature.   In the event the ordering is done and it's still not matching, then we'll need to look a bit more deeper into it.   Thanks @Ken Stieers  for bringing up this point.   Regards, Mathew ... View more

Hey Jape, This is possible to have addresses be exempted from envelope sender rate limiting via the address list and deploying it on the mail flow policy in question, a null <> value cannot be added. Are these out of office emails coming from internal source? if so perhaps (if this applies to your environment) you disable envelope sender rate limiting on a RELAY host. If this is for out of office emails coming from the internet into the ESA, then creating that hole could be considered risky as it opens you up to bounce storms if Bounce verification isn't it. An alternative means for incoming mails would be to use message filters and use the High Volume Email filter rules but it may get convoluted and complicated for the requirement. Regards, Mathew ... View more

Hey Andreas, EHLO is required for STARTTLS to be advertised for the ESA to use: C680.esa.lab> telnet 10.10.10.100 25 Trying 10.10.10.100... Connected to 10.10.10.100. Escape character is '^]'. 220 C680.lab.test ESMTP HELO test 250 C680.lab.test ^] telnet> q Connection closed. C680.esa.lab> telnet 10.10.10.100 25 Trying 10.10.10.100... Connected to 10.10.10.100. Escape character is '^]'. 220 C680.lab.test ESMTP EHLO test 250-C680.lab.test 250-8BITMIME 250-SIZE 10485760 250 STARTTLS ^] telnet> q Connection closed. If the receiving mail server does not offer STARTTLS at all - then the ESA would not run the command. While you can still force it manually via SMTP conversation telnet; devices following RFC (like the ESA) will not force a command if it was not using EHLO extension. Regards, Mathew ... View more

Hey Ccns90, External threat feeds requires the correct URLs to query as the source. To verify if the source is returning results for the ETF to work you can verify inside the "threatfeeds" log files. When an email is sent in and depending on where you deployed your ETF (HAT level, filter/content filters etc) the logs (mail_logs) will return if it was matched under a threat feed. Sample: Thu Jun 7 20:48:10 2018 Info: MID 91 Threat feeds source 'S1' detected malicious URL: 'http://digimobil.mobi/' in attachment(s): malurl.txt. Action: Attachment stripped Thanks, Mathew ... View more

Hey is_8999, Sorry for late information to this thread. Option 1 -> currently not available. Option 2 -> Yes you can remove these buttons, on your windows PC go to -> C:\ProgramData\Cisco\Cisco IronPort Email Security Plug-In\username Note: if you didn't install the plugin into this folder the directory may vary. ProgramData folder is hidden. Open up config_1.xml (which should be linked to your primary email account) and you can remove the strings of the buttons you do not want. Please keep in mind, you need to remove the initial parent tag to the end tag, if you remove sub tags or incorrectly - your plugin will no longer load due to invalid syntax. EG on my side one of the tags are: &lt;reportType name="spam"&gt; &lt;address&gt;outlook_spam@access.ironport.com&lt;/address&gt; &lt;copyAddressInPlainFormat&gt;&lt;/copyAddressInPlainFormat&gt; &lt;headerValue&gt;spam&lt;/headerValue&gt; &lt;showInJunkFolder&gt;true&lt;/showInJunkFolder&gt; &lt;largeRibbonButton&gt;true&lt;/largeRibbonButton&gt; &lt;/reportType&gt; Removing the above, will remove the SPAM button for example. 3. In the same config file you can change the address, currently by default it is sent to outlook_spam@access.ironport.com -> you can alter this. Regards, Mathew ... View more

Hey Oleg, There's very little we can do on the ESA on a tuning perspective. it is more of an "enable all applicable requirements" and it will operate in itself. Regards, Mathew ... View more

Hey Bvj, I apologise for the inconvenience faced with the feature; we're aware of the requirement and we have filed an enhancement request to bring an option to allow a roll back to the classic licensing method. At this stage, you are correct - the only way to go back is to rollback the config or resetconfig/reload (which is a bit too destructive). For virtual ESAs we're recommending to not use smart licenses yet as there has been some concerns due to the lack of option to change it back gracefully to classic VLN license method. Thank you for sharing your experience and workaround to our wider community though - it's greatly appreciated. Regards, Mathew ... View more

Hey Gagandeepsinghhoda, This is tricky because we'd need to see some logs to indicate the situation. From your explanation... Exchange side shows delivered but recipient didn't -- this means it's and outbound email flow? If so, you will likely need to obtain some information about these emails and run a message tracking/mail_logs search for the flow and from there you have the first point to verify what happened. If the ESA silently drops an email due to spam or other local rules, no NDR is sent. Regards, Mathew ... View more

Hello Oleg, I suspect this 100 value is the uploads to the threatgrid service from the ESA. File upload limits enforced. This means that while the AMP reputation service wouldn't have a limit and the ESA will query the SHA256s for information on our AMP cloud - when a verdict is unknown and file requires to be uploaded, if you exceeded the 100 per day, your device will no longer send the file for analysis. I would recommend you confirm with your sales representative as i'm basing this 100 as the upload limits which I believe is the model used for the AMP license. Thanks, Mathew ... View more

Hey Zydfm, I was hoping that's not the case - I'll likely need to check into my lab boxes to verify if it's possible to change the export data time setting. Regards, Mathew ... View more

Hey Zydfm, Typically GUI -> System Admin -> Timezone and change it to the relevant location should update the tracking as well. As per extended grep, we cannot control the output to be in the exact line format sought as grep is essentially just finding outputs which meet the expression being searched and print the raw line. Grep isn't able to be used to correlate multiple lines into events, and you will still need to manually extract and modify. Regards, Mathew ... View more

Hello Zydfm, I tried to look for an option on our devices but not able to find an alternative means to meet the requirement. Message tracking export currently shows the sender, recipient and last state only (if it was delivered or aborted). You can probably run an extended grep on mail_log files to extract the log lines you need, but you'll likely need to run another script or tool to correlate the details into a user friendly file. Else - I would imagine filing an Enhancement request for more customization on tracking/exports might be required. Regards, Mathew ... View more

Hey Duke, I do see the predicament that would be - on the ESA (if the SMA license has expired or has crashed) the ESA will not auto-switch to local tracking, however all the files the ESA generates for the SMA message tracking to pull from will still be made. The information is stored for up to 60 files (typically 3 hours). If there is no pulling of the data from an SMA then we'll purge older data to make room for newer. Regards, Mathew ... View more