What you are seeing is correct the first bucket grabs everything and doesn't allow traffic to be distributed to other service ID's. Using PBR to overcome this is what we came up with for this type of deployment. ... View more

Since you can’t specifically set a Content Filter on attachment size but you can on message size which includes body + attachment I would suggest add a content filter as a condition and then the action is add Log Entry and then you can search for the log entry. The other alternative is a Message Filter which does support attachment-size rule. Refer to the User Guide for Message Filter processing. Keep in mind Message Filters happen before spam scanning so you could end up with some log entries that get dropped due to spam scanning and other engines. ... View more

There is no report but if you are syslogging the mail_logs off box you could run something to look for the Message to Large indicators and create a report. Other than that you'd have to grep the logs that are being stored off-box for the same. ... View more

Receiving aborted is generally and indication that the transmitting end stop sending data OR there is some network device interfering with the communication. If you are unable to receive any email always best to open a TAC case and have them assist. ... View more

Unless something has changed in the last year or so and it is possible, you could configure the WSA to use 802.1q VLAN interfaces and they would synch with WCCP on the ASA off the physical inside interface and sub-interfaces however there was an issue where the physical interface on the ASA would grab all available buckets and never redirect traffic to the sub-interfaces. If you've made this work I'd certainly love to see the configuration as we ended up working around this issue using PBR on the later releases of ASA. ... View more

We are working hard to avoid that as well ... View more

Support for HTTP/2 in WSA will be later this year in our 12.x release. ... View more

The SMA license does not propagate to the WSA. You should have a PAK for the WSA licenses that you need to activate. If you need assistance please contact TAC for help. ... View more

<facepalm> Can't fix them all :) ... View more

As suggested by others SPF checks for this type of forgery. ... View more

You are correct we don't block that capability by default. We are discussing changing the default action however there are consequences to that behavior. We have published many different guides on how to prevent Spoofing and are looking at adding additional functionality to the product to make it easier to configure Spoof protection but keep in mind there are many legitimate reasons for spoofing email. More and more companies today do business with 3rd party vendors that send email to employees on behalf of the company, your HR, 401K, outsourced employee services etc. and blocking the ability to receive messages from your own domain (spoofed) would impact those employee services. IF you are confident that you understand you know and have identified those services then consider using the document I authored some years ago on HAT Exception Table method. You can find it attached or watch this video https://www.youtube.com/watch?v=mG86aih6Pko Now some people including TAC will use Message Filters or Content Filters to help but those have varying success. HAT Rejection is at the time of SMTP conversation so doesn't actually depend on the friendly header FROM in the body of the message so make sure you understand the attach document before implementing as misconfiguration can and has caused rejection of your internal mail server. I also agree with the suggestions below about implementing SPF and DKIM/DMARC but they will not prevent spoofing as they are not specifically designed to prevent spoofing but to authenticate that the message was created and signed by the sending organization. I've witnessed spoofed messages and spammers lately signing their messages with DKIM so there is no silver bullet for this issue as if you read the RFC it was constructed to allow this type of behavior again for reasons mentioned above. ... View more

Please review this article to see if this helps http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118423-technote-wsa-00.html ... View more