Can You Snapshot a Virtual Cisco IronPort?

The Cisco IronPort virtual edition has been out for about a year now. It’s still not quite as mature as we would like for it to be; for example, it lacks support for Hyper-V, modifying the CPU core allocation to meet peak performance demands, etc.

One of the unsupported ‘configurations’ is virtual machine snapshots.

This is what I was advised by a TAC engineer:

“The software was written for physical hardware, and operations such as snapping an image and reloading it at a later point in time, is not supported.

Our appliances often have files open, and taking a snapshot while a file is being written, can leave you with a worthless snapshot, that can’t be executed.  And thats only one of the problems you may encounter

I can confirm it is not supported, but nevertheless it will probably work when the machine is completely shut down. It will probably fail when the machine was ‘powered on’. There are no power states like pause or standby which would take the filesystem into a state that would be safe for a snapshot.

I can confirm, no problem if version mismatch due to a revert. A “revert” of the machine (CLI> revert)  also results in such a mismatch, but this is automatically resolved.”

So as you can see, snapshotting your ESA isn’t technically supported HOWEVER if you follow the basic steps below you shouldn’t have any issues.


Cisco IronPort ESA Finally Supports TLS 1.2

ASyncOS 9.5 is in Limited Deployment at the moment but you don’t have to wait long before it hits an ESA near you as Cisco seem to be pushing out ASyncOS releases pretty quickly these days.

9.5 comes with a bunch of new features including one many people have been waiting for – support for TLS 1.2.

See the release notes @

If you don’t want to wait for it to hit the General Deployment phase then you can raise a TAC support request with the serial number of your appliance and a request to be put on the LD list for release 9.5.

I’ll probably be doing this my self in the next few days. I also have a virtual appliance so can always snapshot the VM before the upgrade and roll back in case anything goes awry.


Migrating from a Physical IronPort ESA to a Virtual IronPort Appliance

This post will be a collection of thoughts and my own experiences when migrating from a physical C160 to a virtual C100V appliance. Other IronPort ESA P2V appliances may be similar so it’s worth reading on!


Cisco IronPort E-mail Security Appliance Best Practices : Part 2

This article is a continuation from part 1 of the IronPort ‘best practices’ series.

Here I will discuss:

  • Implementing DNS blacklists
  • DLP
  • Bounce profiles
  • LDAP queries

Cisco IronPort E-mail Security Appliance Best Practices : Part 1

I’ve cheekily phrased this blog article as a best practice guide to setting up/configuring your Cisco IronPort email security appliance. However I must make clear that the below is what I deem to be best practices/configuration. Every environment is unique so please make sure you understand what you are doing before attempting to implement any of my suggestions below. So, let’s get started! The suggestions below are in no particular order.