This blog article will briefly describe the new URL filtering features in the updated AsyncOS 8.5.0 for the Cisco IronPort Email Security Appliance.
Before you upgrade to 8.5.5 (which is the latest OS as of this post), please check the upgrade path at the URL below:
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-5/ESA_8-5-5_Release_Notes.pdf
After upgrading, make sure URL filtering is enabled by navigating to:
- Security Services –> URL Filtering
- Edit Global Settings and check the box
The Cisco Web Security Services connection status should indicate a successful connection to the service. If you receive any errors relating to certificates (error fetching enrollment certificate or certificate is invalid) or connection issues (unable to connect to cisco web security services) then please make sure:
- Your firewall is not blocking any connections from the ESA to the outside world on HTTP/HTTPS – the ESA heavily relies on these connections to retrieve anti-spam (CASE) updates, firmware updates and others.
- Make sure a certificate is associated with the Cisco Web Security Services Authentication. Open up a CLI to the ESA and run the command websecurityconfig. Follow the instructions.
- If it still does not work for you, see the troubleshooting section in the ESA 8.5.5 user guide or contact Cisco support
So now that you have URL filtering enabled with a successful connection to the Cisco web security services, let’s add some content filters to our incoming (and outgoing depending on your environment) mails!
- Go to Mail Policies –> Incoming Content Filters
- Add a filter. Let’s call it url_filtering
- Add a condition and select URL Category
- Select all the dodgy categories you want to block and select OK
- Add some actions when a blocked URL is detected – you can do what you wish with the e-mail here. See some examples below:
You can choose to ‘Defang’ the URL – this means changing some characters of the URL so that it cannot be clicked. For example: http://some-malware-site.com becomes hxxp://some-malware-site.com
You can have URLs in the e-mails re-written so they go to a Cisco Security Proxy first. This allows URLs to be scanned/checked by Cisco to determine the safety of the web-sites.
You can replace URLs with plain text – so for example you could replace http://some-malware-site.com becomes [WARNING: THIS URL WAS REMOVED FOR SECURITY REASONS. PLEASE CONTACT THE IT DEPARTMENT]
One of the most common actions will be to notify the IT department and quarantine the message. In my opinion, this is probably the best thing to do. There’s very little to no point allowing e-mails to go through to end users if they are in categories such as ‘Pornography’ or ‘Child Abuse’. Delivering e-mails and stripping the URLs will just confuse end-users so it’s best to quarantine.
Of course with such filtering there will be some false positives. This is why you can add URLs to a whitelist:
- Mail Policies –> URL Lists
I hope this has been useful. Feel free to leave your comments below!
5 replies on “URL Filtering on the Cisco IronPort ESA”
Thanks for your article. I needed to do this quickly and didn’t have time for a Cisco support case!
I also created a filter called Malicious_URL and made the condition “URL Reputation”, then added that to the Default Policy. We are on ASyncOS 8.5.6.
Hi
Mail Policies –> URL Lists
white listing is not working on ESA. Tried with Policy and also with Global White-List.
Have you added/modified your content filter to reflect the whitelist? In the content filter add a condition, click ‘URL Reputation’ and select ‘Use a URL whitelist’.
Yes, Added
Use a URL whitelist: “List Name”
and also tried
Security Services > URL Filtering
URL Whitelist: URL-White-List
Hmm weird. If you have committed the policies and it still doesn’t work then it is worth opening a support ticket (they’re very quick to respond usually) as what you have done looks correct.
Have you looked here? Page 376 @ http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-5/ESA_8-5-5_User_Guide.pdf