Post on 27-Jan-2021
transcript
User Guide for AsyncOS 12.5 for Cisco Content Security ManagementAppliances - GD (General Deployment)First Published: 2019-07-22
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000
800 553-NETS (6387)Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)
© 2019 Cisco Systems, Inc. All rights reserved.
https://www.cisco.com/c/en/us/about/legal/trademarks.html
C O N T E N T S
Introduction 1C H A P T E R 1
What's New in this Release 1
Cisco Content Security Management Overview 3
Setup, Installation, and Basic Configuration 5C H A P T E R 2
Solution Deployment Overview 5
SMA Compatibility Matrix 6
Installation Planning 6
Network Planning 6
About Integrating a Security Management Appliance with Email Security Appliances 7
Deployments with Clustered Email Security Appliances 7
Preparing for Setup 7
Physically Setting Up and Connecting the Appliance 7
Determining Network and IP Address Assignments 8
Gathering the Setup Information 8
Accessing the Security Management Appliance 9
Browser Requirements 9
About Accessing the Web Interfaces 10
Accessing the Web Interface 11
Accessing the Legacy Web Interface 12
Accessing the Command Line Interface 12
Supported Languages 12
Accessing the Security Management Appliance API Interface Using Swagger UI 13
Running the System Setup Wizard 13
Before You Begin 13
Overview of the System Setup Wizard 14
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)iii
Launch the System Setup Wizard 15
Review the End User License Agreement 15
Configure the System Settings 15
Configure the Network Settings 15
Review Your Configuration 16
Proceeding to the Next Steps 16
About Adding Managed Appliances 17
Editing Managed Appliance Configurations 17
Removing an Appliance from the List of Managed Appliances 18
Configuring Services on the Security Management Appliance 18
Committing and Abandoning Configuration Changes 19
Working With Reports 21C H A P T E R 3
Ways to View Reporting Data 21
How the Security Management Appliance Gathers Data for Reports 22
How Reporting Data is Stored 22
About Reporting and Upgrades 23
Customizing Your View of Report Data 23
Viewing Reporting Data for an Appliance or Reporting Group 23
Choosing a Time Range for Reports 24
(Web Reports Only) Choosing Which Data to Chart 24
Customizing Tables on Report Pages 25
Custom Reports 25
Modules That Cannot Be Added to Custom Reports 26
Creating Your Custom Report Page 26
Viewing Details of Messages or Transactions Included in Reports 27
Improving Performance of Email Reports 27
Exporting Reporting and Tracking Data 29
Exporting Report Data as a Comma Separated Values (CSV) File 30
Subdomains vs. Second Level Domains in Reporting and Tracking 31
Troubleshooting All Reports 31
Unable to View Report Data on Backup Security Management Appliance 32
Reporting Is Disabled 32
Email and Web Reports 32
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)iv
Contents
Working With Reports on the New Web Interface 33C H A P T E R 4
Ways to View Reporting Data 33
How the Security Management Appliance Gathers Data for Reports 34
How Reporting Data is Stored 34
About Reporting and Upgrades 35
Using the Interactive Report Pages 35
Customizing Your View of Report Data 36
Viewing Reporting Data for an Appliance or Reporting Group 36
Choosing a Time Range for Reports 37
(Web Reports Only) Choosing Which Data to Chart 37
(Email Reports Only) Customizing Views on Report Pages 38
Customizing Tables on Report Pages 38
Using Counters to Filter Data on the Trend Graphs 39
My Favorite Reports Page 39
Modules That Cannot Be Added to the My Favorite Reports Page 40
Adding Reports on the My Favorite Reports Page 40
Viewing Details of Messages or Transactions Included in Reports 41
Improving Performance of Email Reports 41
Exporting Reporting and Tracking Data 43
Exporting Report Data as a Comma Separated Values (CSV) File 44
Troubleshooting All Reports 45
Unable to View Report Data on Backup Security Management Appliance 45
Reporting Is Disabled 45
Using Centralized Email Security Reporting 47C H A P T E R 5
Centralized Email Reporting Overview 47
Setting Up Centralized Email Reporting 48
Enabling Centralized Email Reporting 48
Enabling Centralized Email Reporting on the Legacy Web Interface 48
Creating Email Reporting Groups 49
Adding the Centralized Email Reporting Service to Each Managed Email Security Appliance 50
Enabling Centralized Email Reporting on Email Security Appliances 50
Working with Email Report Data 51
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)v
Contents
Working with Email Report Data on the New Web Interface 51
Searching and the Interactive Email Report Pages 52
Understanding the Email Reporting Pages 52
Table Column Descriptions for Email Reporting Pages 56
Email Reporting Overview Page 59
How Incoming Mail Messages are Counted 59
How Email Messages Are Categorized by the Appliances 59
Categorizing Email Messages on the Overview Page 60
Incoming Mail Page 62
Views Within the Incoming Mail Page 63
Incoming Mail Details Table 64
Sender Profile Pages 65
Sender Groups Report Page 66
Sender Domain Reputation Page 66
Outgoing Destinations Page 67
Outgoing Senders Page 67
Internal Users Page 69
Internal User Details Page 69
Searching for a Specific Internal User 70
DLP Incidents 70
DLP Incidents Details Table 71
DLP Policy Detail Page 71
Message Filters 71
Geo Distribution 71
High Volume Mail 72
Content Filters Page 72
Content Filter Details Page 73
DMARC Verification 73
Macro Detection 73
External Threat Feeds Page 73
Virus Types Page 74
URL Filtering Page 75
Web Interaction Tracking Page 75
Forged Email Detection Page 76
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)vi
Contents
Advanced Malware Protection (File Reputation and File Analysis) Reporting Pages 76
Requirements for File Analysis Report Details 77
Identifying Files by SHA-256 Hash 78
File Reputation and File Analysis Report Pages 79
Viewing File Reputation Filtering Data in Other Reports 81
For Which Files Are Detailed File Analysis Results Visible in the Cloud? 81
Mailbox Auto Remediation 81
TLS Connections Page 82
Inbound SMTP Authentication Page 83
Rate Limits Page 83
Outbreak Filters Page 84
Reporting of Graymail 86
Reporting of Marketing Messages after Upgrade to AsyncOS 9.5 86
System Capacity Page 86
How to Interpret the Data You See on System Capacity Page 87
System Capacity – Workqueue 87
System Capacity – Incoming Mail 88
System Capacity – Outgoing Mail 88
System Capacity – System Load 88
System Capacity – All 89
Threshold Indicator in System Capacity Graphs 90
Reporting Data Availability Page 90
Understanding the Email Reporting Pages on the New Web Interface 90
Mail Flow Summary Page 94
How Incoming Mail Messages are Counted 96
How Email Messages Are Categorized by the Appliances 96
Categorizing Email Messages on the Mail Flow Summary Page 97
System Capacity Page 99
How to Interpret the Data You See on System Capacity Page 100
System Capacity – Workqueue 100
System Capacity – Incoming Mail 100
System Capacity – Outgoing Mail 101
System Capacity – System Load 101
System Capacity – All 102
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)vii
Contents
Threshold Indicator in System Capacity Graphs 102
Advanced Malware Protection Page 102
Advanced Malware Protection – Summary 103
Advanced Malware Protection – AMP Reputation 103
Advanced Malware Protection – File Analysis 104
Advanced Malware Protection – File Retrospection 105
Advanced Malware Protection – Mailbox Auto Remediation 105
Requirements for File Analysis Report Details 106
Identifying Files by SHA-256 Hash 107
Viewing File Reputation Filtering Data in Other Reports 108
For Which Files Are Detailed File Analysis Results Visible in the Cloud? 108
Virus Filtering Page 108
Virus Types Detail Table 109
Macro Detection Page 110
DMARC Verification Page 110
Domains by DMARC Verification Details Table 111
Outbreak Filtering Page 111
URL Filtering Page 113
Forged Email Detection Page 114
Sender Domain Reputation Page 114
External Threat Feeds Page 115
Mail Flow Details Page 115
Views Within the Mail Flow Details Page 117
Incoming Mails Table 118
Sender Profile Pages 120
Sender Details Table 121
Sender Groups Page 122
Outgoing Destinations Page 123
Outgoing Destinations Detail Table 124
TLS Encryption Page 124
TLS Connections Details Table 126
Inbound SMTP Authentication Page 127
Rate Limits Page 129
Connections by Country Page 129
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)viii
Contents
User Mail Summary 130
User Mail Flow Details Table 131
Searching for a Specific Internal User 132
DLP Incident Summary Page 132
Web Interaction Page 134
Web Interaction Tracking Details 135
Remediation Reports Page 135
Message Filters Page 137
High Volume Mail Page 138
Content Filters Page 138
Content Filter Details Page 139
Reporting of Graymail 139
Reporting of Marketing Messages after Upgrade to AsyncOS 9.5 140
About Scheduled and On-Demand Email Reports 140
Additional Report Types 141
Domain-Based Executive Summary Report 141
Executive Summary Report 144
Scheduled Reports Page 144
Scheduling Email Reports 144
Adding Scheduled Reports 144
Editing Scheduled Reports 145
Discontinuing Scheduled Reports 145
Generating Email Reports On Demand 146
Archived Email Reports Page 147
Viewing and Managing Archived Email Reports 147
Accessing Archived Reports 147
Deleting Archived Reports 148
Troubleshooting Email Reports 148
Outbreak Filters Reports Do Not Show Information Correctly 148
Message Tracking Results Do Not Match Report Results After Clicking a Link in a Report 148
Advanced Malware Protection Verdict Updates Report Results Differ 149
Issues Viewing File Analysis Report Details 149
File Analysis Report Details Are Not Available 149
Error When Viewing File Analysis Report Details 149
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)ix
Contents
Error When Viewing File Analysis Report Details with Private Cloud Cisco AMP Threat GridAppliance 150
Logging of File Analysis-Related Errors 150
Total Graymail or Marketing Messages Appears To Be Incorrect 150
Using Centralized Web Reporting and Tracking 151C H A P T E R 6
Centralized Web Reporting and Tracking Overview 151
Setting Up Centralized Web Reporting and Tracking 153
Enabling Centralized Web Reporting on the Security Management Appliance 153
Enabling Centralized Web Reporting on Web Security Appliances 153
Adding the Centralized Web Reporting Service to Each Managed Web Security Appliance 153
Anonymizing User Names in Web Reports 154
Working with Web Security Reports 155
Working with Web Security Reports on the New Web Interface 155
Web Reporting Page Descriptions 156
About Time Spent 158
Web Reporting Overview 159
Users Report (Web) 160
User Details (Web Reporting) 161
User Count Report (Web) 163
Web Sites Report 163
URL Categories Report 164
Reducing Uncategorized URLs 165
URL Category Set Updates and Reports 165
Using The URL Categories Page in Conjunction with Other Reporting Pages 165
Reporting Misclassified and Uncategorized URLs 166
Application Visibility Report 166
Understanding the Difference between Application versus Application Types 166
Anti-Malware Report 168
Malware Category Report 169
Malware Threat Report 169
Malware Category Descriptions 169
Advanced Malware Protection (File Reputation and File Analysis) Reports 170
Requirements for File Analysis Report Details 171
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)x
Contents
Identifying Files by SHA-256 Hash 172
Advanced Malware Protection (File Reputation and File Analysis) Report Pages 173
Viewing File Reputation Filtering Data in Other Reports 174
For Which Files Are Detailed File Analysis Results Visible in the Cloud? 174
Client Malware Risk Report 175
Web Reputation Filters Report 176
What are Web Reputation Filters? 176
Adjusting Web Reputation Settings 177
L4 Traffic Monitor Report 177
SOCKS Proxy Report 179
Reports by User Location 179
System Capacity Page 180
Viewing the System Capacity Report 181
How to Interpret the Data You See on the System Capacity Page 181
System Capacity - System Load 181
System Capacity - Network Load 182
Note About Proxy Buffer Memory Swapping 182
Data Availability Page 182
Understanding the Web Reporting Pages on the New Web Interface 183
About Time Spent 185
Overview Page 185
Application Visibility Page 187
Layer 4 Traffic Monitor Page 189
SOCKS Proxy Page 191
URL Categories Page 192
Reducing Uncategorized URLs 193
URL Category Set Updates and Reports 193
Using The URL Categories Page in Conjunction with Other Reporting Pages 194
Reporting Misclassified and Uncategorized URLs 194
Users Page 194
User Details Page (Web Reporting) 195
Web Sites Page 198
HTTPS Reports Page 199
Anti-Malware Page 200
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xi
Contents
Malware Category Report 201
Malware Threat Report 201
Malware Category Descriptions 202
Advanced Malware Protection Page 203
Advanced Malware Protection - AMP Summary 204
Advanced Malware Protection - File Analysis 204
Client Malware Risk Report 205
Web Reputation Filters Page 206
About Scheduled and On-Demand Web Reports 208
Scheduling Web Reports 209
Storage of Scheduled Web Reports 209
Adding Scheduled Web Reports 210
Editing Scheduled Web Reports 210
Deleting Scheduled Web Reports 210
Additional Extended Web Reports 210
Top URL Categories—Extended 211
Top Application Types—Extended 211
Generating Web Reports on Demand 212
Archived Web Reports Page 213
Viewing and Managing Archived Web Reports 213
Web Tracking 214
Searching for Transactions Processed by Web Proxy Services 214
Malware Category Descriptions 216
Searching for Transactions Processed by the L4 Traffic Monitor 218
Searching for Transactions Processed by the SOCKS Proxy 218
Web Tracking on the New Web Interface 219
Searching for Transactions Processed by Web Proxy Services 219
Malware Category Descriptions 221
Searching for Transactions Processed by the Layer 4 Traffic Monitor 223
Searching for Transactions Processed by the SOCKS Proxy 223
Working with Web Tracking Search Results 223
Displaying More Web Tracking Search Results 224
Understanding Web Tracking Search Results 224
Viewing Transaction Details for Web Tracking Search Results 224
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xii
Contents
About Web Tracking and Advanced Malware Protection Features 224
About Web Tracking and Upgrades 225
Troubleshooting Web Reporting and Tracking 225
Centralized Reporting Is Enabled Properly But Not Working 226
Advanced Malware Protection Verdict Updates Report Results Differ 226
Issues Viewing File Analysis Report Details 226
File Analysis Report Details Are Not Available 226
Error When Viewing File Analysis Report Details 226
Error When Viewing File Analysis Report Details with Private Cloud Cisco AMP Threat GridAppliance 227
Expected Data Is Missing from Reporting or Tracking Results 227
PDF Shows Only a Subset of Web Tracking Data 227
Troubleshooting L4 Traffic Monitor Reports 227
Exported .CSV file is Different From Web Interface Data 228
Issues Exporting Web Tracking Search Results 228
Tracking Messages 229C H A P T E R 7
Tracking Service Overview 229
Setting Up Centralized Message Tracking 230
Enabling Centralized Email Tracking 230
Enabling Centralized Email Tracking on the Legacy Web Interface 230
Configuring Centralized Message Tracking on Email Security Appliances 231
Adding the Centralized Message Tracking Service to Each Managed Email Security Appliance231
Managing Access to Sensitive Information 232
Checking Message Tracking Data Availability 232
Searching for Email Messages 232
Searching for Email Messages on the New Web Interface 233
Searching for Email Messages on the Legacy Web Interface 235
Narrowing the Result Set 237
About Message Tracking and Advanced Malware Protection Features 238
Understanding Tracking Query Results 238
Message Details 239
Verdict Chart and Last State Verdicts 239
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xiii
Contents
Envelope and Header Summary 240
Sending Host Summary 241
Processing Details 241
Troubleshooting Message Tracking 242
Expected Messages Are Missing from Search Results 242
Attachments Do Not Appear in Search Results 243
Spam Quarantine 245C H A P T E R 8
Overview of the Spam Quarantine 245
Local Versus External Spam Quarantine 245
Setting Up the Centralized Spam Quarantine 246
Enabling and Configuring Spam Quarantine 246
Enabling and Configuring the Spam Quarantine on the Legacy Web Interface 246
Adding the Centralized Spam Quarantine Service to Each Managed Email Security Appliance 248
Configuring an Outbound IP Interface on the Security Management Appliance 249
Configuring the IP Interface for Browser Access to the Spam Quarantine 250
Configuring Administrative User Access to the Spam Quarantine 250
Limiting Which Recipients Have Mail Quarantined 251
Spam Quarantine Language 251
Edit Spam Quarantine Page 251
Using Safelists and Blocklists to Control Email Delivery Based on Sender 252
Message Processing of Safelists and Blocklists 252
Enabling Safelists and Blocklists 253
Enabling Safelists and Blocklists on the Legacy Web Interface 253
External Spam Quarantine and Safelist/Blocklists 253
Adding Senders and Domains to Safelists and Blocklists (Administrators) 254
Syntax for Safelists and Blocklist Entries 258
Clearing All Safelists and Blocklists 259
About End-User Access to Safelists and Blocklists 259
Adding Entries to Safelists (End Users) 259
Adding Senders to Blocklists (End Users) 260
Backing Up and Restoring the Safelist/Blocklist 260
Troubleshooting Safelists and Blocklists 261
Message from Safelisted Sender Was Not Delivered 261
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xiv
Contents
Configuring Spam Management Features for End Users 262
Authentication Options for End Users Accessing Spam Management Features 262
LDAP Authentication Process 263
IMAP/POP Authentication Process 264
SAML 2.0 Authentication Process 264
Setting Up End-User Access to the Spam Quarantine via Web Browser 264
Configuring End-User Access to the Spam Quarantine 265
Determining the URL for End-User Access to the Spam Quarantine 266
Which Messages an End User Sees 266
Notifying End Users About Quarantined Messages 267
Recipient Email Mailing List Aliases and Spam Notifications 269
Testing Notifications 270
Troubleshooting Spam Notifications 270
Managing Messages in the Spam Quarantine 271
Accessing the Spam Quarantine (Administrative Users) 271
Accessing the Spam Quarantine (Administrative Users) 271
Searching for Messages in the Spam Quarantine 271
Searching Very Large Message Collections 272
Viewing Messages in the Spam Quarantine 272
Delivering Messages in the Spam Quarantine 272
Deleting Messages from the Spam Quarantine 273
Disk Space for the Spam Quarantine 273
About Disabling the External Spam Quarantine 273
Troubleshooting Spam Quarantine Features 273
Centralized Policy, Virus, and Outbreak Quarantines 275C H A P T E R 9
Overview of Centralized Quarantines 275
Quarantine Types 276
Centralizing Policy, Virus, and Outbreak Quarantines 277
Enabling Centralized Policy, Virus, and Outbreak Quarantines on the SecurityManagement Appliance279
Enabling Centralized Policy, Virus, and Outbreak Quarantines on the New Web Interface of theAppliance 280
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xv
Contents
Adding the Centralized Policy, Virus, and Outbreak Quarantine Service to Each Managed EmailSecurity Appliance 280
Configuring Migration of Policy, Virus, and Outbreak Quarantines 281
Designating an Alternate Appliance to Process Released Messages 283
Configuring Centralized Quarantine Access for Custom User Roles 283
Disabling Centralized Policy, Virus, and Outbreak Quarantines 283
Releasing Messages When an Email Security Appliance Is Unavailable 284
Managing Policy, Virus, and Outbreak Quarantines 284
Disk Space Allocation for Policy, Virus, and Outbreak Quarantines 284
Retention Time for Messages in Quarantines 285
Default Actions for Automatically Processed Quarantined Messages 286
Checking the Settings of System-Created Quarantines 286
Configuring Policy, Virus, and Outbreak Quarantines 286
About Editing Policy, Virus, and Outbreak Quarantine Settings 288
Determining the Filters and Message Actions to Which a Policy Quarantine Is Assigned 289
About Deleting Policy Quarantines 289
Monitoring Quarantine Status, Capacity, and Activity 289
Alerts About Quarantine Disk-Space Usage 291
Policy Quarantines and Logging 291
About Distributing Message Processing Tasks to Other Users 292
Which User Groups Can Access Policy, Virus, and Outbreak Quarantines 292
Working with Messages in Policy, Virus, or Outbreak Quarantines 292
Viewing Messages in Quarantines 293
Quarantined Messages and International Character Sets 294
Searching for Messages in Policy, Virus, and Outbreak Quarantines 294
Modifying Search Criteria 294
Manually Processing Messages in a Quarantine 295
Sending a Copy of the Message 295
About Moving Messages Between Policy Quarantines 296
Messages in Multiple Quarantines 296
Message Details and Viewing Message Content 296
Viewing Matched Content 297
Downloading Attachments 298
About Rescanning of Quarantined Messages 298
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xvi
Contents
The Outbreak Quarantine 299
Rescanning Messages in an Outbreak Quarantine 299
Rule Summary View 299
Manage by Rule Summary Link 300
Reporting False Positives or Suspicious Messages to Cisco Systems 300
Troubleshooting Centralized Policy Quarantines 300
Administrative User Cannot Choose Quarantines in Filters and DLP Message Actions 300
Messages Released from a Centralized Outbreak Quarantine Are Not Rescanned 300
Managing Web Security Appliances 301C H A P T E R 1 0
About Centralized Configuration Management 301
Determining the Correct Configuration Publishing Method 301
Using Configuration Masters to Centrally Manage Web Security Appliances 302
Important Notes About Using Configuration Masters 305
Determine the Configuration Master Versions to Use 305
Enabling Centralized Configuration Management on the Security Management Appliance 305
Initializing and Configuring Configuration Masters 306
Initializing Configuration Masters 306
About Associating Web Security Appliances to Configuration Masters 306
Adding Web Security Appliances and Associating Them with Configuration Master Versions307
Associating Configuration Masters to Web Security Appliances 308
Configuring Sub Configuration Masters 308
Viewing Associated Configuration Masters in the Appliance List 309
Deleting Sub Configuration Masters 309
Selecting the Sub Configuration Master as the Active Configuration 309
Configuring Settings to Publish 310
Importing from an Existing Configuration Master 310
Importing Settings from a Web Security Appliance 311
Configuring Web Security Features Directly in Configuration Masters 311
Ensuring that Features are Enabled Consistently 313
Comparing Enabled Features 314
Enabling Features to Publish 314
Disabling Unused Configuration Masters 315
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xvii
Contents
Setting Up to Use Advanced File Publishing 316
Publishing Configurations to Web Security Appliances 316
Publishing a Configuration Master 316
Before You Publish a Configuration Master 316
Publishing a Configuration Master Now 318
Publishing a Configuration Master Later 319
Publishing a Configuration Master Using the Command Line Interface 319
Publishing Configurations Using Advanced File Publishing 320
Advanced File Publish: Publish Configuration Now 320
Advanced File Publish: Publish Later 321
Viewing Status and History of Publishing Jobs 321
Viewing Publish History 321
Centralized Upgrade Management 322
Setting Up Centralized Upgrade Management for Web Security Appliances 322
Enable the Centralized Upgrade Manager 322
Adding the Centralized Upgrade Service to Each Managed Web Security Appliance 323
Selecting and Downloading WSA Upgrades 324
Using the Install Wizard 325
Viewing Web Security Appliance Status 326
Viewing a Summary of Status of Web Appliances 326
Viewing Status of Individual Web Security Appliances 326
Web Appliance Status Details 327
Preparing For and Managing URL Category Set Updates 327
Understand the Impacts of URL Category Set Updates 327
Ensure That You Will Receive Notifications and Alerts about URL Category Set Updates 328
Specify Default Settings for New and Changed Categories 328
When the URL Category Set is Updated, Check Your Policy and Identity/Identification ProfileSettings 328
Application Visibility and Control (AVC) Updates 328
Troubleshooting Configuration Management Issues 329
In Configuration Master Identities/Identification Profiles, Groups Are Not Available 329
Configuration Master Access Policies Web Reputation and Anti-Malware Settings Page Settings areNot as Expected 329
Troubleshooting Issues when Importing Existing Configuration for Configuration Masters 329
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xviii
Contents
Troubleshooting Configuration Publishing Failures 330
Monitoring System Status 331C H A P T E R 1 1
About Security Management Appliance Status 331
Monitoring Security Management Appliance Capacity 332
Monitoring the Processing Queue 332
Monitoring CPU Utilization 332
Monitoring Status of Data Transfer From Managed Appliances 333
Viewing the Configuration Status of Your Managed Appliances 334
Additional Status Information for Web Security Appliances 335
Monitoring Reporting Data Availability Status 335
Monitoring Email Security Reporting Data Availability 335
Monitoring Web Security Reporting Data Availability 335
Monitoring Email Tracking Data Status 336
Monitoring Capacity of Managed Appliances 336
Identifying Active TCP/IP Services 336
Replacing a Managed Appliance During Hardware Failure 336
Integrating With LDAP 337C H A P T E R 1 2
Overview 337
Configuring LDAP to Work with the Spam Quarantine 337
Creating the LDAP Server Profile 338
Testing LDAP Servers 340
Configuring LDAP Queries 340
LDAP Query Syntax 340
Tokens 340
Spam Quarantine End-User Authentication Queries 341
Sample Active Directory End-User Authentication Settings 341
Sample OpenLDAP End-User Authentication Settings 342
Spam Quarantine Alias Consolidation Queries 342
Sample Active Directory Alias Consolidation Settings 343
Sample OpenLDAP Alias Consolidation Settings 343
Testing LDAP Queries 344
Domain-Based Queries 344
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xix
Contents
Creating a Domain-Based Query 344
Chain Queries 345
Creating a Chain Query 346
Configuring AsyncOS to Work With Multiple LDAP Servers 347
Testing Servers and Queries 347
Failover 347
Configuring the Cisco Content Security Appliance for LDAP Failover 348
Load Balancing 348
Configuring the Cisco Content Security Appliance for Load Balancing 348
Configuring External Authentication of Administrative Users Using LDAP 349
User Accounts Query for Authenticating Administrative Users 350
Group Membership Queries for Authenticating Administrative Users 350
Enabling External Authentication of Administrative Users 352
Configuring SMTP Routing 353C H A P T E R 1 3
SMTP Routes Overview 353
SMTP Routes, Mail Delivery, and Message Splintering 354
SMTP Routes and Outbound SMTP Authentication 354
Routing Email for Local Domains 354
Default SMTP Route 354
Managing SMTP Routes 355
Defining an SMTP Route 355
SMTP Routes Limits 355
Adding SMTP Routes 355
Exporting SMTP Routes 356
Importing SMTP Routes 356
SMTP Routes and DNS 357
Integrating with Cisco Threat Response 359C H A P T E R 1 4
Integrating Your Appliance with Cisco Threat Response 359
Integrating with Cisco Threat Response 359
Integrating the Appliance with Cisco Threat Response using CLI 361
threatresponseconfig 361
cloudserviceconfig 362
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xx
Contents
Performing Threat Analysis using Casebooks 364
Obtaining Client ID and Client Password Credentials 364
Adding Observable to Casebook for Threat Analysis 366
Distributing Administrative Tasks 369C H A P T E R 1 5
About Distributing Administrative Tasks 369
Assigning User Roles 369
Predefined User Roles 369
Custom User Roles 372
About Custom Email User Roles 372
About Custom Web User Roles 375
Deleting Custom User Roles 377
User Roles with Access to the CLI 377
Using LDAP 377
Access to Quarantines 378
Users Page 378
About Authenticating Administrative Users 378
Changing the Admin User’s Passphrase 378
Changing the User’s Passphrase After Expiry 379
Managing Locally-Defined Administrative Users 379
Adding Locally-Defined Users 379
Editing Locally-Defined Users 380
Deleting Locally-Defined Users 380
Viewing the List of Locally-Defined Users 381
Setting and Changing Passphrases 381
Setting Passphrase and Login Requirements 381
Requiring Users to Change Passphrase on Demand 384
Locking and Unlocking Local User Accounts 385
External User Authentication 386
Configuring LDAP Authentication 386
Enabling RADIUS Authentication 386
Two-Factor Authentication 389
Enabling Two-Factor Authentication 389
Disabling Two-Factor Authentication 390
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxi
Contents
Adding an Email or Web Security appliance over SSH with Pre-Shared Keys 390
Additional Controls on Access to the Security Management Appliance 391
Configuring IP-Based Network Access 391
Direct Connections 391
Connecting Through a Proxy 392
Creating the Access List 392
Configuring the Web UI Session Timeout 394
Configuring the CLI Session Timeout 395
Controlling Access to Sensitive Information in Message Tracking 395
Displaying a Message for Administrative Users 396
Viewing Administrative User Activity 396
Viewing Active Sessions Using the Web 396
Viewing Your Recent Login Attempts 397
Viewing Administrative User Activity via the Command Line Interface 397
Troubleshooting Administrative User Access 397
Error: User Has No Access Privileges Assigned 397
User Has No Active Menus 398
Externally-Authenticated Users See Preferences Option 398
Common Administrative Tasks 399C H A P T E R 1 6
Performing Administrative Tasks 399
Cisco Content Security Management Appliances Licensing 400
Working with Feature Keys 400
Virtual Appliance Licensing and Feature Keys 400
Smart Software Licensing 400
Overview 401
Enabling Smart Software Licensing 402
Registering the Appliance with Cisco Smart Software Manager 403
Requesting for Licenses 404
Deregistering the Appliance from Smart Cisco Software Manager 404
Reregistering the Appliance with Smart Cisco Software Manager 405
Changing Transport Settings 405
Renewing Authorization and Certificate 405
Updating Smart Agent 406
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxii
Contents
Alerts 406
Command Line Interface 406
Performing Maintenance Tasks Using CLI Commands 411
Shutting Down the Security Management Appliance 411
Rebooting the Security Management Appliance 411
Taking the Security Management Appliance Out of Service 412
CLI Examples: suspend and suspendtransfers Commands 412
Resuming from a Suspended State 413
CLI Examples: resume and resumetransfers Commands 413
Resetting the Configuration to Factory Defaults 413
The resetconfig Command 414
Displaying the Version Information for AsyncOS 414
Enabling Remote Power Cycling 414
Monitoring System Health Using SNMP 415
Example: snmpconfig Command 416
Backing Up Security Management Appliance Data 417
What Data Is Backed Up 418
Restrictions and Requirements for Backups 418
Backup Duration 419
Availability of Services During Backups 419
Interruption of a Backup Process 420
Prevent the Target Appliance From Pulling Data Directly from Managed Appliances 420
Receiving Alerts About Backup Status 420
Scheduling Single or Recurring Backups 421
Starting an Immediate Backup 421
Checking Backup Status 422
Backup Information in Log Files 422
Other Important Backup Tasks 423
Making a Backup Appliance the Primary Appliance 423
Disaster Recovery on the Security Management Appliance 424
Upgrading Appliance Hardware 426
Upgrading AsyncOS 426
Batch Commands for Upgrades 426
Determining Network Requirements for Upgrades and Updates 426
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxiii
Contents
Choosing an Upgrade Method: Remote vs. Streaming 427
Streaming Upgrade Overview 427
Remote Upgrade Overview 427
Hardware and Software Requirements for Remote Upgrades 428
Hosting a Remote Upgrade Image 429
Important Differences in Remote Upgrading Method 429
Configuring Upgrade and Service Update Settings 429
Upgrade and Update Settings 430
Static Upgrade and Update Server Settings for Environments with Strict Firewall Policies 431
Configuring the Update and Upgrade Settings from the GUI 433
Upgrade Notifications 434
Before You Upgrade: Important Steps 434
Upgrading AsyncOS 434
Viewing Status of, Canceling, or Deleting a Background Download 436
After Upgrading 437
About Reverting to an Earlier Version of AsyncOS 437
Important Note About Reversion Impact 437
Reverting AsyncOS 437
About Updates 439
About URL Category Set Updates for Web Usage Controls 439
Configuring the Return Address for Generated Messages 439
Managing Alerts 439
Alert Types and Severities 440
Alert Delivery 440
Viewing Recent Alerts 441
About Duplicate Alerts 441
Cisco AutoSupport 441
Hardware Alert Descriptions 442
System Alert Descriptions 442
Changing Network Settings 446
Changing the System Hostname 446
The sethostname Command 446
Configuring Domain Name System Settings 446
Specifying DNS Servers 447
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxiv
Contents
Multiple Entries and Priority 447
Using the Internet Root Servers 447
Reverse DNS Lookup Timeout 448
DNS Alert 448
Clearing the DNS Cache 448
Configuring DNS Settings via the Graphical User Interface 448
Configuring TCP/IP Traffic Routes 449
Managing Static Routes in the GUI 449
Modifying the Default Gateway (GUI) 449
Configuring the Default Gateway 449
Specifying a Secure Communication Protocol 449
Configuring the System Time 450
Using a Network Time Protocol (NTP) Server 451
(Recommended) Setting Appliance System Time Using the Network Time Protocol (NTP) 451
Selecting a GMT Offset 451
Updating Time Zone Files 452
Automatically Updating Time Zone Files 452
Manually Updating Time Zone Files 452
Configuration File Page 452
Saving and Importing Configuration Settings 453
Managing Configuration Files 453
Saving and Exporting the Current Configuration File 453
Loading a Configuration File 454
Resetting the Current Configuration 456
Rolling Back to a Previously Committed Configuration 456
CLI Commands for Configuration Files 456
The showconfig, mailconfig, and saveconfig Commands 457
The loadconfig Command 458
The rollbackconfig Command 458
The publishconfig Command 458
The trailblazerconfig Command 458
Uploading Configuration Changes Using the CLI 459
Managing Disk Space 460
(Virtual Appliances Only) Increasing Available Disk Space 460
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxv
Contents
Viewing Disk Space, Quotas and Usage 461
About Disk Space Maximums and Allocations 461
Ensuring That You Receive Alerts About Disk Space 462
Managing Disk Space for the Miscellaneous Quota 462
Reallocating Disk Space Quotas 462
Adjusting the Reference Threshold in System Health Graphs for Email Security Appliances 463
SSO Using SAML 2.0 463
About SSO and SAML 2.0 464
SAML 2.0 SSO Workflow 464
Guidelines and Limitations for SAML 2.0 465
Logout 465
General 465
Spam Quarantine Access for Administrators 465
How to Configure SSO for Spam Quarantine 465
Prerequisites 466
Configure Cisco Content Security Management Appliance as a Service Provider 466
Configure the Identity Provider to Communicate with Cisco Content Security ManagementAppliance 468
Configure Identity Provider Settings on Cisco Content Security Management Appliance 469
Enable SSO for Spam Quarantine 470
Customizing Your View 471
Using Favorite Pages 471
Setting Preferences 471
General Settings 472
Monitoring Web Usage Analytics 472
Improving Web Interface Rendering 472
Restarting and Viewing Status of Services Enabled on Appliance 473
Logging 475C H A P T E R 1 7
Logging Overview 475
Logging Versus Reporting 475
Log Retrieval 475
Filename and Directory Structure 476
Log Rollover and Transfer Schedule 476
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxvi
Contents
Timestamps in Log Files 477
Logs Enabled by Default 477
Log Types 478
Summary of Log Types 478
Log Type Comparison 481
Using Configuration History Logs 482
Using CLI Audit Logs 483
Using FTP Server Logs 483
Using HTTP Logs 484
Using Spam Quarantine Logs 485
Using Spam Quarantine GUI Logs 485
Using Text Mail Logs 486
Sample Text Mail Log 486
Examples of Text Mail Log Entries 488
Generated or Rewritten Messages 490
Sending a Message to the Spam Quarantine 490
Using NTP Logs 491
Using Reporting Logs 491
Using Reporting Query Logs 492
Using Safelist/Blocklist Logs 493
Using SMA Logs 493
Using Status Logs 494
Using System Logs 496
Understanding Tracking Logs 497
Log Subscriptions 497
Configuring Log Subscriptions 497
Setting the Log Level 498
Creating a Log Subscription in the GUI 499
Editing Log Subscriptions 499
Configuring Global Settings for Logging 500
Logging Message Headers 500
Configuring Global Settings for Logging by Using the GUI 501
Rolling Over Log Subscriptions 501
Rolling Over Logs in Log Subscriptions 502
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxvii
Contents
Rolling Over Logs Immediately Using the GUI 502
Rolling Over Logs Immediately via the CLI 502
Viewing the Most Recent Log Entries in the GUI 502
Viewing the Most Recent Entries in Logs (tail Command) 502
Configuring Host Keys 503
Troubleshooting 507C H A P T E R 1 8
Collecting System Information 507
Troubleshooting Hardware Issues 507
Troubleshooting Feature Setup Issues 507
General Troubleshooting Resources 508
Troubleshooting Issues with Specific Functionality 508
Responding to Alerts 509
Alert: Battery Relearn Timed Out (RAID Event) on 380 or 680 Hardware 509
Additional Alert Descriptions 509
Working with Technical Support 509
Opening or Updating a Support Case from the Appliance 509
Getting Support for Virtual Appliances 510
Enabling Remote Access for Cisco Technical Support Personnel 510
Enabling Remote Access to Appliances With an Internet Connection 511
Enabling Remote Access to Appliances Without a Direct Internet Connection 511
Disabling a Tech Support Tunnel 512
Disabling Remote Access 512
Checking the Status of the Support Connection 512
Running a Packet Capture 512
Remotely Resetting Appliance Power 513
IP Interfaces and Accessing the Appliance 515A P P E N D I X A
IP Interfaces and Accessing the Appliance 515
IP Interfaces 515
Configuring IP Interfaces 516
Creating IP Interfaces Using the GUI 516
Accessing the Appliance via FTP 517
Secure Copy (scp) Access 519
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxviii
Contents
Accessing via a Serial Connection 519
Pinout Details for the Serial Port in 80- and 90- Series Hardware 520
Pinout Details for the Serial Port in 70-Series Hardware 520
Assigning Network and IP Addresses 523A P P E N D I X B
Ethernet Interfaces 523
Selecting IP Addresses and Netmasks 523
Sample Interface Configurations 524
IP Addresses, Interfaces, and Routing 524
Summary 525
Strategies for Connecting Your Content Security Appliance 525
Firewall Information 527A P P E N D I X C
Firewall Information 527
Web Security Management Examples 531A P P E N D I X D
Web Security Management Examples 531
Web Security Appliance Examples 531
Example 1: Investigating a User 531
Example 2: Tracking a URL 533
Example 3: Investigating Top URL Categories Visited 533
Additional Resources 535A P P E N D I X E
Cisco Notification Service 535
Documentation 535
Third Party Contributors 536
Training 536
Knowledge Base Articles (TechNotes) 537
Cisco Support Community 537
Customer Support 537
Registering for a Cisco Account 537
Cisco Welcomes Your Comments 538
End User License Agreement 539A P P E N D I X F
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxix
Contents
Cisco Systems End User License Agreement 539
Supplemental End User License Agreement for Cisco Systems Content Security Software 545
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxx
Contents
C H A P T E R 1Introduction
This chapter contains the following sections:
• What's New in this Release, on page 1• Cisco Content Security Management Overview, on page 3
What's New in this ReleaseThis section describes the new features and enhancements in this release of AsyncOS for Cisco ContentSecurity Management.
Table 1: What's New in AsyncOS 12.x
DescriptionFeature
The AsyncOS 12.5.0 release for Cisco Content SecurityManagement appliancesupports the following hardware models:
• M195
• M395
• M695
For details, see https://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet_C78-721194.html
Support for new hardwaremodels
You can now configure subsets of a particular version of the ConfigurationMaster to centrally manage the different policy configurations of your WebSecurity appliance.
For more information, see Managing Web Security Appliances, on page 301.
Managing Multiple Subsetof Configuration Masters
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)1
https://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet_C78-721194.htmlhttps://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet_C78-721194.html
DescriptionFeature
The Cisco Content Security Management appliance now includes the casebookand pivot menu widgets.
If you are using the Microsoft Internet Explorer browser to accessyour appliance, you will not be able to use the casebook widget.
Note
You can perform the following actions in your appliance using the casebookand pivot menu widgets:
• Add an observable to a casebook to investigate for threat analysis.
• Pivot an observable to a new case, an existing case, or other devicesregistered in the Cisco Threat Response portal (for example, AMP forEndpoints, Cisco Umbrella, Cisco Talos Intelligence, and so on) toinvestigate for threat analysis.
For more information, see Integrating with Cisco Threat Response, on page359.
Performing Threat Analysisusing Casebooks
When registering your appliance with the Cisco Threat Response portal, youcan now choose a Cisco Threat Response server to connect your appliance tothe Cisco Threat Response portal.
The following are the Cisco Threat Response servers that are supported for thisrelease:
• AMERICAS (api-sse.cisco.com)
• EUROPE (api.eu.sse.itd.cisco.com)
For more information, see Integrating with Cisco Threat Response, on page359.
Ability to choose CiscoThreat Response serverwhen registering appliancewith Cisco Threat Responseportal
You can create a custom report page by assembling charts (graphs) and tablesfrom all your existing email security reports on the new web interface of yourappliance.
For more information, see Working With Reports on the New Web Interface,on page 33.
My Reports page on theNew Web Interface
You can now configure Policy, Virus or Outbreak Quarantine from the newweb interface of your appliance.
For more information, see Centralized Policy, Virus, and Outbreak Quarantines,on page 275.
Configuring Policy, Virusand Outbreak Quarantineon the New Web Interface
Swagger is a set of open-source tools built around the OpenAPI Specification.
Swagger UI helps you to design and manage AsyncOS API resources on a webinterface.
For more information, see Setup, Installation, and Basic Configuration, on page5
Managing APIs usingSwagger UI
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)2
IntroductionWhat's New in this Release
DescriptionFeature
You can enable or disable your website usage or activity from being sent forstatistical analysis.
For more information, see Common Administrative Tasks, on page 399.
Monitoring Web UsageAnalytics
Cisco Content Security Management OverviewAsyncOS for Cisco Content Security Management incorporates the following features:
• External Spam Quarantine:Hold spam and suspected spam messages for end users, and allow endusers and administrators to reviewmessages that are flagged as spam before making a final determination.
• Centralized Policy, Virus, and Outbreak Quarantines: Provide a single interface for managing thesequarantines and the messages quarantined in them from multiple Email Security appliances. Allows youto store quarantined messages behind the firewall.
• Centralized reporting:Run reports on aggregated data frommultiple Email andWeb Security appliances.The same reporting features available on individual appliances are available on Security Managementappliances.
• Centralized tracking: Use a single interface to track email messages and web transactions that wereprocessed by multiple Email and Web Security appliances.
• Centralized Configuration Management for Web Security appliances: For simplicity and consistency,manage policy definition and policy deployment for multiple Web Security appliances.
The Security Management appliance is not involved in centralized emailmanagement, or ‘clustering’ of Email Security appliances.
Note
• Centralized Upgrade Management:You can simultaneously upgrade multipleWeb Security appliances(WSAs) using a single Security Management Appliance (SMA).
• Backup of data: Back up the data on your Security Management appliance, including reporting andtracking data, quarantined messages, and lists of safe and blocked senders.
You can coordinate your security operations from a single Security Management appliance or spread the loadacross multiple appliances.
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)3
IntroductionCisco Content Security Management Overview
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)4
IntroductionCisco Content Security Management Overview
C H A P T E R 2Setup, Installation, and Basic Configuration
This chapter contains the following sections:
• Solution Deployment Overview, on page 5• SMA Compatibility Matrix, on page 6• Installation Planning , on page 6• Preparing for Setup , on page 7• Accessing the Security Management Appliance , on page 9• Accessing the Security Management Appliance API Interface Using Swagger UI, on page 13• Running the System Setup Wizard, on page 13• About Adding Managed Appliances, on page 17• Configuring Services on the Security Management Appliance, on page 18• Committing and Abandoning Configuration Changes , on page 19
Solution Deployment OverviewTo configure your Cisco Content Security Management appliance to provide service to your Cisco ContentSecurity solution:
More InformationDo ThisOn These Appliances
See the SMA Compatibility Matrix,on page 6.
Ensure that your appliances meet the systemrequirements for the features you will use. Ifnecessary, upgrade your appliances.
All appliancesStep 1
See the documentation for yourCisco Email Security release.
Before you introduce centralized services toyour environment, configure all Email Securityappliances to provide the security features youwant, and verify that all features are workingas expected on each appliance.
Email Security appliancesStep 2
See the AsyncOS for Cisco WebSecurity Appliances User Guide.
Before you introduce centralized services toyour environment, configure at least one WebSecurity appliance to provide the securityfeatures you want, and verify that all featuresare working as expected.
Web Security appliancesStep 3
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)5
More InformationDo ThisOn These Appliances
See the Installation Planning , onpage 6, Preparing for Setup , onpage 7 and the Running the SystemSetup Wizard, on page 13.
Set up the appliance and run the System SetupWizard.
Security Managementappliance
Step 4
Start with the Configuring Serviceson the Security ManagementAppliance, on page 18.
Configure each centralized service that youwant to deploy.
All appliancesStep 5
SMA Compatibility MatrixFor compatibility of your Security Management appliance with Email Security appliances and Web Securityappliances, and for compatibility of configuration files when importing and publishingWeb Security applianceconfigurations, see the Compatibility Matrix athttp://www.cisco.com/c/en/us/support/security/content-security-management-appliance/products-release-notes-list.html.
Installation Planning• Network Planning , on page 6• About Integrating a Security Management Appliance with Email Security Appliances , on page 7• Deployments with Clustered Email Security Appliances , on page 7
Network PlanningThe Security Management appliance lets you separate end user applications from the more secure gatewaysystems residing in your demilitarized zones (DMZs). Using a two-layer firewall can provide flexibility innetwork planning so that end users do not connect directly to the outer DMZ .
Figure 1: Typical Network Configuration Incorporating the Security Management appliance
The following figure shows a typical network configuration incorporating the SecurityManagement applianceand multiple DMZs. You deploy the Security Management appliance outside your DMZ, in your internal
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)6
Setup, Installation, and Basic ConfigurationSMA Compatibility Matrix
http://www.cisco.com/c/en/us/support/security/content-security-management-appliance/products-release-notes-list.html
networks. All connections are initiated by the Security Management appliances (M-Series) to the managedEmail Security appliances (C-Series) and managed Web Security appliances (S-Series).
Corporate data centers can share a Security Management appliance to perform centralized reporting andmessage tracking for multiple Web and Email Security appliances, and centralized policy configuration formultiple Web Security appliances. The Security Management appliance can also be used as an external spamquarantine.
After you connect the Email Security appliance and the Web Security appliances to a Security Managementappliance and properly configure all appliances, AsyncOS gathers and aggregates data from the managedappliances. From the aggregated data, reports can be generated and an overall view of email and web usagecan be determined.
About Integrating a Security Management Appliance with Email SecurityAppliances
Additional information about integrating the Security Management appliance with your Email Securityappliances, see the “Centralizing Services on a Cisco Content Security Management Appliance” chapter inthe user documentation or online help for your Email Security appliance.
Deployments with Clustered Email Security AppliancesThe Security Management appliance cannot be placed in a cluster of Email Security appliances that are usingthe email appliances’ centralized management feature. However, clustered Email Security appliances candeliver messages to the SecurityManagement appliance for centralized reporting and tracking and to quarantinemessages.
Preparing for SetupBefore you run the System Setup Wizard:
Step 1 Review the latest release notes for your product. See Network Planning , on page 6.Step 2 Verify that the components of your security solution are compatible. See the SMA Compatibility Matrix, on page 6.Step 3 Ensure that your network and physical space are ready to support this deployment. See Installation Planning , on page
6.Step 4 Physically set up and connect the SecurityManagement appliance. See Physically Setting Up and Connecting the Appliance
, on page 7.Step 5 Determine network and IP address assignments. See Determining Network and IP Address Assignments, on page 8.Step 6 Gather information about your system setup. See Gathering the Setup Information, on page 8.
Physically Setting Up and Connecting the ApplianceBefore you follow the procedures in this chapter, complete the steps described in the quick start guide thatcame with your appliance. In this guide, it is assumed that you have unpacked the appliance, physicallyinstalled it in a rack, and turned it on.
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)7
Setup, Installation, and Basic ConfigurationAbout Integrating a Security Management Appliance with Email Security Appliances
Before you can log in to the GUI, you need to set up a private connection between a PC and the SecurityManagement appliance. For example, you can use the included crossover cable to connect directly from theManagement port on the appliance to a laptop. Optionally, you can connect through an Ethernet connectionbetween a PC and the network (for example, an Ethernet hub) and between the network and the Managementport on the Security Management appliance.
Determining Network and IP Address Assignments
If you have already cabled your appliance to your network, ensure that the default IP address for the contentsecurity appliance does not conflict with other IP addresses on your network. The IP address that ispre-configured on the Management port of each appliance is 192.168.42.42.
Note
After setup, go to the Management Appliance > Network > IP Interfaces page on the main SecurityManagement appliance to change the interface that the Security Management appliance uses.
You need the following network information about each Ethernet port that you choose to use:
• IP address• Netmask
In addition, you need the following information about your overall network:
• IP address of the default router (gateway) on your network• IP address and hostname of your DNS servers (not required if you want to use Internet root servers)• Hostname or IP address of your NTP servers (not required if you want to manually set system time)
For more information, see Assigning Network and IP Addresses, on page 523.
If you are running a firewall on your network between the Internet and the content security appliance, it maybe necessary to open specific ports for the appliance to work properly. For more information on firewalls, seeFirewall Information, on page 527
Always use the same IP address on the Security Management appliance for receiving and sending emailmessages to the Email Security appliances. For an explanation, see information about Mail Flow in thedocumentation for your Email Security appliance.
Note
Note that IPv6 is not supported for communication between the Cisco Content SecurityManagement applianceand the appliances it manages.
Gathering the Setup InformationUse the following table to gather information about system setup. You will need this information at handwhile running the System Setup Wizard.
See the Assigning Network and IP Addresses, on page 523 for detailed information about network and IPaddresses.
Note
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)8
Setup, Installation, and Basic ConfigurationDetermining Network and IP Address Assignments
The following table shows the system setup worksheet
Email address where system alerts are sent:Notifications1
NTP Server (IP address or hostname):System Time2
Choose a new passphrase for the “admin” account:Admin Passphrase3
Enable AutoSupport? ___ Yes ___ NoAutoSupport4
Fully qualified hostname of the Security Management appliance:Hostname5
IP address:Interface / IP Address6
Netmask:
Default Gateway (router) IP address:GatewayNetwork7
___ Use the Internet’s root DNS serversDNS
___ Use these DNS servers:
Accessing the Security Management ApplianceThe Security Management appliance has a standard web-based graphical user interface, a separate web-basedinterface for managing the spam quarantine, a command-line interface, and special or limited web interfacesfor administrative users granted access to specific features and functionality.
• Browser Requirements, on page 9
• About Accessing the Web Interfaces , on page 10
• Accessing the Legacy Web Interface, on page 12
• Accessing the Web Interface , on page 11
• Accessing the Command Line Interface, on page 12
• Supported Languages, on page 12
Browser RequirementsTo access the GUI, your browser must support and be enabled to accept JavaScript and cookies, and it mustbe able to render HTML pages containing Cascading Style Sheets (CSS).
Table 2: Supported Browsers and Releases
MacOS 10.6Windows 7Browser
7.0 and later—Safari
Latest StableVersion
Latest StableVersion
Google Chrome
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)9
Setup, Installation, and Basic ConfigurationAccessing the Security Management Appliance
MacOS 10.6Windows 7Browser
—11.0Microsoft Internet Explorer
Latest StableVersion
Latest StableVersion
Mozilla Firefox
• Internet Explorer 11.0 (Windows 7 only)
• Safari (7 and later)
• Firefox (Latest Stable Version)
• Google Chrome (Latest Stable Version)
Browsers are supported only for operating systems officially supported by the browser.
You may need to configure your browser’s pop-up blocking settings in order to use the GUI, because somebuttons or links in the interface will cause additional windows to open.
For a seamless navigation and rendering of HTML pages, Cisco recommends using the following browsersto access the new web interface of the appliance (AsyncOS 12.0 and later):
• Google Chrome (Latest Stable Version)
• Mozilla Firefox (Latest Stable Version)
You can access the legacy web interface of the appliance on any of the supported browsers.
The supported resolution for the new web interface of the appliance (AsyncOS 12.0 and later) is between1280x800 and 1680x1050. The best viewed resolution is 1440x900, for all the browsers.
Cisco does not recommend viewing the new web interface of the appliance on higher resolutions.Note
About Accessing the Web InterfacesThe Security Management appliance has two web interfaces: the standard administrator interface, availableby default on port 80, and the spam quarantine end user interface, available by default on port 82. The spamquarantine HTTPS interface defaults to port 83 when enabled.
Because you can specify HTTP or HTTPS when configuring each of the web interfaces (go to ManagementAppliance > Network > IP Interfaces on the Security Management appliance), you may be asked toreauthenticate if you switch between the two during your session. For example, if you access the admin webinterface through HTTP on port 80 and then, in the same browser, access the spam quarantine end user webinterface through HTTPS on port 83, you are asked to reauthenticate if you return to the admin web interface.
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)10
Setup, Installation, and Basic ConfigurationAbout Accessing the Web Interfaces
- When accessing the GUI, do not use multiple browser windows or tabs simultaneously to make changes tothe Security Management appliance. Do not use concurrent GUI and CLI sessions either. Doing so will causeunexpected behavior and is not supported.
- By default, your session times out if you are idle for more than 30minutes or if you close the browser withoutlogging out. If this happens, you must reenter your user name and passphrase. To change the timeout limit,see Configuring the Web UI Session Timeout, on page 394.
Note
Accessing the Web Interface
Step 1 Open your web browser and enter the IP address or host name of your appliance.Step 2 [New Web Interface Only] You can access the new web interface in any one of the following ways:
The new web interface of your appliance uses AsyncOS API HTTP/HTTPS ports (6080/6443) and trailblazerHTTPS port (4431). You can use the trailblazerconfig command in the CLI to configure the trailblazerHTTPS ports. Make sure that the trailblazer HTTPS port is opened on the firewall.
Note
• When trailblazerconfig CLI command is enabled, use the following URL -https://example.com:/ng-login
where example.com is the appliance host name and is the trailblazer HTTPS portconfigured on the appliance.
For more information on the trailblazerconfig CLI command, seeThe trailblazerconfig Command, on page 458.
• When trailblazerconfig CLI command is disabled, use the following URL -https://example.com:/ng-login
where example.com is the appliance host name and is the HTTPS port configured on the appliance.
• Log in to the legacy web interface and click Security Management appliance is getting a new look. Try it!! linkto access the new web interface.
• Make sure that AsyncOS API is enabled on the appliance.
• You must login to the legacy web interface of the appliance.
• If trailblazerconfig is enabled, the configured HTTPS port must be opened on the firewall. The defaultHTTPS port is 4431.
Also ensure that your DNS server can resolve the hostname that you specified for accessing the appliance.
• If trailblazerconfig is disabled, the AsycnOS API ports configured in Management Appliance >Network > IP Interfaces, are opened on the firewall. The default AsyncOS API HTTP/HTTPS port is6080/6443.
Important
Step 3 Enter the following default values:
• User name: admin
• Passphrase: ironport
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)11
Setup, Installation, and Basic ConfigurationAccessing the Web Interface
This passphrase is NOT valid after you complete the System Setup Wizard, either using the web interface orthe command-line interface.
Note
Accessing the Legacy Web Interface
Youmust login to the SecurityManagement Appliance to access the legacyweb interface. Formore information,see Accessing the Web Interface , on page 11
Note
To enable and configure reporting, message tracking, quarantines, network access, and monitor system status,you must access the legacy web interface.
To access the legacy web interface from the new web interface, click on the gear icon as shown in thefollowing figure:
Figure 2: Accessing the Legacy Web Interface from the
The legacy web interface opens in a new browser window. You must log in again to access it.
If you want to log out of the appliance completely, you need to log out of both the new and legacy webinterfaces of your appliance.
Accessing the Command Line InterfaceThe command line interface, or CLI, is accessed on the Security Management appliance in the same way thatthe CLI is accessed on all Cisco Content Security appliances. There are, however, some differences:
• System setup must be performed through the GUI.• Some CLI commands are not available on the Security Management appliance. For a list of whichcommands are not supported, see the IronPort AsyncOS CLI Reference Guide for Cisco Content SecurityAppliances.
For production deployments, you should use SSH to access the CLI. Use a standard SSH client to access theappliance on port 22. For lab deployments, you can also use telnet; however, this protocol is not encrypted.
Supported LanguagesWith the appropriate license key, AsyncOS can display the GUI and CLI in any of the following languages:
• English• French• Spanish• German• Italian• Korean
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)12
Setup, Installation, and Basic ConfigurationAccessing the Legacy Web Interface
• Japanese• Portuguese (Brazil)• Chinese (traditional and simplified)• Russian
To choose the GUI and default reporting language, do one of the following:
• Set the language preference. See Setting Preferences , on page 471.• Use the Options menu at the top right side of the GUI window to select the language for the session.
(The method that works depends on the method used to authenticate your login credentials.)
Accessing the Security Management Appliance API InterfaceUsing Swagger UI
Swagger UI allows you to visualize and interact with the API resources of your appliance. This is automaticallygenerated from your API specifications. For more information, see https://swagger.io/tools/swagger-ui/.
You can log in to the Swagger UI on the new web interface of your Security Management appliance in anyone of the following ways:
• Use the following URL - https://example.com:/swagger
where example.com is the appliance host name and is the trailblazer HTTPSport configured on the appliance.
You must enable the trailblazer HTTPS port on the appliance to access theSwagger UI. For more information on the trailblazerconfig CLI command,see The trailblazerconfig Command, on page 458.
Note
• Log in to the new web interface of your appliance. Click the ? button on the upper-right corner and selectAPI Help: Swagger from the drop-down. The Swagger UI opens in a new browser window.
Running the System Setup WizardAsyncOS provides a browser-based System Setup Wizard to guide you through the process of systemconfiguration. Later, you may want to take advantage of custom configuration options not available in thewizard. However, you must use the wizard for the initial setup to ensure a complete configuration.
The Security Management appliance supports this wizard via the GUI only. It does not support system setupthrough the command line interface (CLI).
• Before You Begin , on page 13• Overview of the System Setup Wizard , on page 14
Before You BeginComplete all tasks in the Preparing for Setup , on page 7.
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)13
Setup, Installation, and Basic ConfigurationAccessing the Security Management Appliance API Interface Using Swagger UI
https://swagger.io/tools/swagger-ui/
The System Setup Wizard completely reconfigures the appliance. Only use the wizard when you initiallyinstall the appliance, or if you want to completely overwrite the existing configuration.
Caution
Be sure to connect the Security Management appliance to your network through the Management port.
The Security Management appliance ships with a default IP address of 192.168.42.42 on the Managementport. Before connecting the Security Management appliance to your network, ensure that no other device’sIP address conflicts with the factory default setting.
Caution
By default, your session times out if you are idle for more than 30 minutes or if you close the browser withoutlogging out. If this happens, you must reenter your user name and passphrase. If the session times out whileyou are running the System Setup Wizard, you need to start over from the beginning. To change the timeoutlimit, see Configuring the Web UI Session Timeout, on page 394.
Note
Overview of the System Setup Wizard
Step 1 Launch the System Setup Wizard , on page 15Step 2 Review the End User License Agreement, on page 15Step 3 Configure the System Settings, on page 15
• Notification settings and AutoSupport
• System time settings
• Admin passphrase
Step 4 Configure the Network Settings, on page 15
• Hostname of the appliance
• IP address, network mask, and gateway of the appliance
• Default router and DNS settings
Step 5 Review Your Configuration, on page 16
Proceed through the wizard pages, and carefully review your configuration at Step 4. You can return to a step by clickingPrevious. At the end of the process, the wizard prompts you to commit the changes that you have made. Most changesdo not take effect until you commit them.
Step 6 Proceeding to the Next Steps, on page 16
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)14
Setup, Installation, and Basic ConfigurationOverview of the System Setup Wizard
Launch the System Setup WizardTo launch the wizard, log in to the GUI as described in the Accessing the Web Interface , on page 11. Thefirst time you log in to the GUI, the initial page of the System Setup Wizard appears by default. You can alsoaccess the System Setup Wizard from the System Administration menu (Management Appliance > SystemAdministration > System Setup Wizard).
Review the End User License AgreementBegin by reading the license agreement. After you have read and agreed to the license agreement, select thecheck box indicating that you agree, and then click Begin Setup to proceed.
Configure the System Settings
Entering an Email Address for System alertsAlerts
AsyncOS sends alert messages through email if there is a system error that requires your intervention. Enterthe email address (or addresses) where the alerts are sent.
You need to add at least one email address for the system alerts. Separate multiple addresses with commas.The email addresses that you enter initially receive all types of alerts at all levels. You can customize the alertconfiguration later. For more information, see the Managing Alerts, on page 439.
Setting the Time
Set the time zone on the Security Management appliance so that timestamps in reports, message headers andlog files are correct. Use the drop-down menus to locate your time zone or to define the time zone by GMToffset.
You can set the system clock time manually, but Cisco recommends using an Network Time Protocol (NTP)server to synchronize time with other servers on your network or the Internet. By default, the Cisco NTPserver (time.sco.cisco.com) is added as an entry to synchronize the time on your content security appliance.Enter the hostname of the NTP server, and click Add Entry to configure an additional NTP server. For moreinformation, see the Configuring the System Time, on page 450.
Setting the Passphrase
You must change the passphrase: adminpassphrase for the AsyncOS admin account. Keep the passphrase ina secure location. Changes to the passphrase take effect immediately.
If you cancel the system setup after resetting the passphrase, your passphrase changes are not undone.Note
Enabling AutoSupport
The AutoSupport feature (enabled by default) notifies Customer Support about issues with the SecurityManagement appliance so that they can provide optimal support. For more information, see the CiscoAutoSupport, on page 441.
Configure the Network SettingsDefine the hostname of the machine and then configure the gateway and DNS settings.
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)15
Setup, Installation, and Basic ConfigurationLaunch the System Setup Wizard
Verify that you have connected the SecurityManagement appliance to your network through theManagementport.
Note
Network Settings
Enter the fully qualified hostname for the Security Management appliance. This name should be assigned bythe network administrator.
Enter the IP address of the Security Management appliance.
Enter the network mask and IP address of the default deerrouter (gateway) on your network.
Next, configure the Domain Name Service (DNS) settings. AsyncOS contains a high-performance internalDNS resolver/cache that can query the Internet’s root servers directly, or the system can use DNS servers thatyou specify. If you use your own servers, you need to supply the IP address of each DNS server. You canenter up to four DNS servers when you are using the System Setup Wizard.
The DNS servers you specify have an initial priority of 0. For more information, see the Configuring DomainName System Settings, on page 446.
Note
The appliance requires access to a working DNS server to perform DNS lookups for incoming connections.If you cannot specify a working DNS server that is reachable by the appliance while you are setting up theappliance, you can select Use Internet Root DNS Servers, or else temporarily specify the IP address of theManagement interface so that you can complete the System Setup Wizard.
Note
Review Your ConfigurationNow, the System Setup Wizard displays a summary of the setup information that you have entered. If youneed to make any changes, click Previous at the bottom of the page and edit the information.
After you have reviewed the information, click Install This Configuration. Then click Install in theconfirmation dialog box that appears.
If the page appears not to respond when you click Install This Configuration, this is because the applianceis now using the the new IP address that you specified in the wizard. To continue using the appliance, use thenew IP address. If you followed the instructions in the Quick Start Guide to temporarily change the IP addressof the computer you used to access your new hardware appliance, revert your computer’s IP address to itsoriginal settings first.
Proceeding to the Next StepsAfter you install the Security Management appliance and run the System SetupWizard, you can modify othersettings on the appliance and configure the monitoring services.
Depending on the process you used to access the appliance in order to run the system setup wizard, the SystemSetup Next Steps page appears. If this page dos not appear automatically, you can access it by choosingManagement Appliance > System Administration > Next Steps.
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)16
Setup, Installation, and Basic ConfigurationNetwork Settings
Click on any of the links on the System Setup Next Steps page to proceed with the configuration of your CiscoContent Security appliances.
About Adding Managed AppliancesYou will add managed Email and Web Security appliances to the Security Management appliance when youconfigure the first centralized service for each appliance.
Supported Email and Web Security appliances are shown in the SMA Compatibility Matrix, on page 6.
When you add a remote appliance, the Security Management appliance compares the product name of theremote appliance with the type of appliance you are adding. For example, you add an appliance using the AddWeb Security appliance page, the Security Management appliance checks the product name of the remoteappliance to make sure that it is a Web Security appliance and not an Email Security appliance. The SecurityManagement appliance will also check the monitoring services on the remote appliances to make sure thatthey are correctly configured and compatible.
The Security Appliances page shows themanaged appliances that you have added. The Connection Established?column shows whether or not the connection for monitoring services is properly configured.
Instructions for adding managed appliances are included in the following procedures:
• Adding the Centralized Email Reporting Service to Each Managed Email Security Appliance , on page50
• Adding the CentralizedMessage Tracking Service to EachManaged Email Security Appliance , on page231
• Adding the Centralized Spam Quarantine Service to Each Managed Email Security Appliance , on page248
• Adding the Centralized Policy, Virus, and Outbreak Quarantine Service to EachManaged Email SecurityAppliance, on page 280
• Adding the CentralizedWeb Reporting Service to Each ManagedWeb Security Appliance , on page 153
• Adding Web Security Appliances and Associating Them with Configuration Master Versions , on page307
Editing Managed Appliance Configurations
Step 1 [New Web Interface Only] On the Security Management appliance, click to load the legacy web interface.Step 2 Choose Management Appliance > Centralized Services > Security Appliances.Step 3 In the Security Appliance section, click on the name of the appliance you want to edit.Step 4 Make the necessary changes to the appliance configuration.
For example, select or clear check boxes for monitoring services, reconfigure file transfer access, or change the IP address.
User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)17
Setup, Installation, and Basic ConfigurationAbout Adding Managed Appliances
Changing the IP address of a managed appliance can cause several issues to occur. If you change the IP addressof a Web Security appliance, the publish history for the appliance will be lost, and publishing errors will occurif the Web Security appliance is currently selected for a scheduled publish job. (This does not affect scheduledpublish jobs that are set to use all assigned appliances.) If you change the IP address of an Email Securityappliance, the tracking availability data for the appliance will be lost.
Note
Step 5 Click Submit to submit your changes on the page, then click Commit Changes to commit your changes.
Removing an Appliance from the List of Managed Appliances
Before you begin
You may need to disable any enabled centralized services on the remote appliance before you can removethat appliance from the Security Management appliance. For example, if the Centralized Policy, Virus, andOutbreak Quarantine service is enabled, you must disable that service first on the Email Security appliance.See the documentation for your email or web security appliance.
Step 1 [New Web Interface Only] On the Security Management appliance, click to load the legacy web interface.Step 2 Choose Management Appliance > Centralized Services > Security Appliances.Step 3 In the Security Appliances section, and click the trash can icon in the row for the managed appliance that you want to
delete.Step 4 In the confirmation dialog box, click Delete.Step 5 Submit and commit your changes.
Co