User Guide for AsyncOS 12.5 for Cisco Content Security ...€¦ · User Guide for AsyncOS 12.5 for...

User Guide for AsyncOS 12.5 for Cisco Content Security ManagementAppliances - GD (General Deployment)First Published: 2019-07-22

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)

© 2019 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/c/en/us/about/legal/trademarks.html

C O N T E N T S

Introduction 1C H A P T E R 1

What's New in this Release 1

Cisco Content Security Management Overview 3

Setup, Installation, and Basic Configuration 5C H A P T E R 2

Solution Deployment Overview 5

SMA Compatibility Matrix 6

Installation Planning 6

Network Planning 6

About Integrating a Security Management Appliance with Email Security Appliances 7

Deployments with Clustered Email Security Appliances 7

Preparing for Setup 7

Physically Setting Up and Connecting the Appliance 7

Determining Network and IP Address Assignments 8

Gathering the Setup Information 8

Accessing the Security Management Appliance 9

Browser Requirements 9

About Accessing the Web Interfaces 10

Accessing the Web Interface 11

Accessing the Legacy Web Interface 12

Accessing the Command Line Interface 12

Supported Languages 12

Accessing the Security Management Appliance API Interface Using Swagger UI 13

Running the System Setup Wizard 13

Before You Begin 13

Overview of the System Setup Wizard 14

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)iii

Launch the System Setup Wizard 15

Review the End User License Agreement 15

Configure the System Settings 15

Configure the Network Settings 15

Review Your Configuration 16

Proceeding to the Next Steps 16

About Adding Managed Appliances 17

Editing Managed Appliance Configurations 17

Removing an Appliance from the List of Managed Appliances 18

Configuring Services on the Security Management Appliance 18

Committing and Abandoning Configuration Changes 19

Working With Reports 21C H A P T E R 3

Ways to View Reporting Data 21

How the Security Management Appliance Gathers Data for Reports 22

How Reporting Data is Stored 22

About Reporting and Upgrades 23

Customizing Your View of Report Data 23

Viewing Reporting Data for an Appliance or Reporting Group 23

Choosing a Time Range for Reports 24

(Web Reports Only) Choosing Which Data to Chart 24

Customizing Tables on Report Pages 25

Custom Reports 25

Modules That Cannot Be Added to Custom Reports 26

Creating Your Custom Report Page 26

Viewing Details of Messages or Transactions Included in Reports 27

Improving Performance of Email Reports 27

Exporting Reporting and Tracking Data 29

Exporting Report Data as a Comma Separated Values (CSV) File 30

Subdomains vs. Second Level Domains in Reporting and Tracking 31

Troubleshooting All Reports 31

Unable to View Report Data on Backup Security Management Appliance 32

Reporting Is Disabled 32

Email and Web Reports 32

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)iv

Contents

Working With Reports on the New Web Interface 33C H A P T E R 4

Ways to View Reporting Data 33

How the Security Management Appliance Gathers Data for Reports 34

How Reporting Data is Stored 34

About Reporting and Upgrades 35

Using the Interactive Report Pages 35

Customizing Your View of Report Data 36

Viewing Reporting Data for an Appliance or Reporting Group 36

Choosing a Time Range for Reports 37

(Web Reports Only) Choosing Which Data to Chart 37

(Email Reports Only) Customizing Views on Report Pages 38

Customizing Tables on Report Pages 38

Using Counters to Filter Data on the Trend Graphs 39

My Favorite Reports Page 39

Modules That Cannot Be Added to the My Favorite Reports Page 40

Adding Reports on the My Favorite Reports Page 40

Viewing Details of Messages or Transactions Included in Reports 41

Improving Performance of Email Reports 41

Exporting Reporting and Tracking Data 43

Exporting Report Data as a Comma Separated Values (CSV) File 44

Troubleshooting All Reports 45

Unable to View Report Data on Backup Security Management Appliance 45

Reporting Is Disabled 45

Using Centralized Email Security Reporting 47C H A P T E R 5

Centralized Email Reporting Overview 47

Setting Up Centralized Email Reporting 48

Enabling Centralized Email Reporting 48

Enabling Centralized Email Reporting on the Legacy Web Interface 48

Creating Email Reporting Groups 49

Adding the Centralized Email Reporting Service to Each Managed Email Security Appliance 50

Enabling Centralized Email Reporting on Email Security Appliances 50

Working with Email Report Data 51

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)v

Contents

Working with Email Report Data on the New Web Interface 51

Searching and the Interactive Email Report Pages 52

Understanding the Email Reporting Pages 52

Table Column Descriptions for Email Reporting Pages 56

Email Reporting Overview Page 59

How Incoming Mail Messages are Counted 59

How Email Messages Are Categorized by the Appliances 59

Categorizing Email Messages on the Overview Page 60

Incoming Mail Page 62

Views Within the Incoming Mail Page 63

Incoming Mail Details Table 64

Sender Profile Pages 65

Sender Groups Report Page 66

Sender Domain Reputation Page 66

Outgoing Destinations Page 67

Outgoing Senders Page 67

Internal Users Page 69

Internal User Details Page 69

Searching for a Specific Internal User 70

DLP Incidents 70

DLP Incidents Details Table 71

DLP Policy Detail Page 71

Message Filters 71

Geo Distribution 71

High Volume Mail 72

Content Filters Page 72

Content Filter Details Page 73

DMARC Verification 73

Macro Detection 73

External Threat Feeds Page 73

Virus Types Page 74

URL Filtering Page 75

Web Interaction Tracking Page 75

Forged Email Detection Page 76

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)vi

Contents

Advanced Malware Protection (File Reputation and File Analysis) Reporting Pages 76

Requirements for File Analysis Report Details 77

Identifying Files by SHA-256 Hash 78

File Reputation and File Analysis Report Pages 79

Viewing File Reputation Filtering Data in Other Reports 81

For Which Files Are Detailed File Analysis Results Visible in the Cloud? 81

Mailbox Auto Remediation 81

TLS Connections Page 82

Inbound SMTP Authentication Page 83

Rate Limits Page 83

Outbreak Filters Page 84

Reporting of Graymail 86

Reporting of Marketing Messages after Upgrade to AsyncOS 9.5 86

System Capacity Page 86

How to Interpret the Data You See on System Capacity Page 87

System Capacity – Workqueue 87

System Capacity – Incoming Mail 88

System Capacity – Outgoing Mail 88

System Capacity – System Load 88

System Capacity – All 89

Threshold Indicator in System Capacity Graphs 90

Reporting Data Availability Page 90

Understanding the Email Reporting Pages on the New Web Interface 90

Mail Flow Summary Page 94

How Incoming Mail Messages are Counted 96

How Email Messages Are Categorized by the Appliances 96

Categorizing Email Messages on the Mail Flow Summary Page 97


How to Interpret the Data You See on System Capacity Page 100

System Capacity – Workqueue 100

System Capacity – Incoming Mail 100

System Capacity – Outgoing Mail 101

System Capacity – System Load 101

System Capacity – All 102

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)vii

Contents

Threshold Indicator in System Capacity Graphs 102

Advanced Malware Protection Page 102

Advanced Malware Protection – Summary 103

Advanced Malware Protection – AMP Reputation 103

Advanced Malware Protection – File Analysis 104

Advanced Malware Protection – File Retrospection 105

Advanced Malware Protection – Mailbox Auto Remediation 105





Virus Filtering Page 108

Virus Types Detail Table 109

Macro Detection Page 110

DMARC Verification Page 110

Domains by DMARC Verification Details Table 111

Outbreak Filtering Page 111

URL Filtering Page 113

Forged Email Detection Page 114

Sender Domain Reputation Page 114

External Threat Feeds Page 115

Mail Flow Details Page 115

Views Within the Mail Flow Details Page 117

Incoming Mails Table 118

Sender Profile Pages 120

Sender Details Table 121

Sender Groups Page 122

Outgoing Destinations Page 123

Outgoing Destinations Detail Table 124

TLS Encryption Page 124

TLS Connections Details Table 126

Inbound SMTP Authentication Page 127

Rate Limits Page 129

Connections by Country Page 129

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)viii

Contents

User Mail Summary 130

User Mail Flow Details Table 131

Searching for a Specific Internal User 132

DLP Incident Summary Page 132

Web Interaction Page 134

Web Interaction Tracking Details 135

Remediation Reports Page 135

Message Filters Page 137

High Volume Mail Page 138

Content Filters Page 138

Content Filter Details Page 139

Reporting of Graymail 139

Reporting of Marketing Messages after Upgrade to AsyncOS 9.5 140

About Scheduled and On-Demand Email Reports 140

Additional Report Types 141

Domain-Based Executive Summary Report 141

Executive Summary Report 144

Scheduled Reports Page 144

Scheduling Email Reports 144

Adding Scheduled Reports 144

Editing Scheduled Reports 145

Discontinuing Scheduled Reports 145

Generating Email Reports On Demand 146

Archived Email Reports Page 147

Viewing and Managing Archived Email Reports 147

Accessing Archived Reports 147

Deleting Archived Reports 148

Troubleshooting Email Reports 148

Outbreak Filters Reports Do Not Show Information Correctly 148

Message Tracking Results Do Not Match Report Results After Clicking a Link in a Report 148

Advanced Malware Protection Verdict Updates Report Results Differ 149

Issues Viewing File Analysis Report Details 149

File Analysis Report Details Are Not Available 149

Error When Viewing File Analysis Report Details 149

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)ix

Contents

Error When Viewing File Analysis Report Details with Private Cloud Cisco AMP Threat GridAppliance 150

Logging of File Analysis-Related Errors 150

Total Graymail or Marketing Messages Appears To Be Incorrect 150

Using Centralized Web Reporting and Tracking 151C H A P T E R 6

Centralized Web Reporting and Tracking Overview 151

Setting Up Centralized Web Reporting and Tracking 153

Enabling Centralized Web Reporting on the Security Management Appliance 153

Enabling Centralized Web Reporting on Web Security Appliances 153

Adding the Centralized Web Reporting Service to Each Managed Web Security Appliance 153

Anonymizing User Names in Web Reports 154

Working with Web Security Reports 155

Working with Web Security Reports on the New Web Interface 155

Web Reporting Page Descriptions 156

About Time Spent 158

Web Reporting Overview 159

Users Report (Web) 160

User Details (Web Reporting) 161

User Count Report (Web) 163

Web Sites Report 163

URL Categories Report 164

Reducing Uncategorized URLs 165

URL Category Set Updates and Reports 165

Using The URL Categories Page in Conjunction with Other Reporting Pages 165

Reporting Misclassified and Uncategorized URLs 166

Application Visibility Report 166

Understanding the Difference between Application versus Application Types 166

Anti-Malware Report 168

Malware Category Report 169

Malware Threat Report 169

Malware Category Descriptions 169

Advanced Malware Protection (File Reputation and File Analysis) Reports 170


User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)x

Contents


Advanced Malware Protection (File Reputation and File Analysis) Report Pages 173



Client Malware Risk Report 175

Web Reputation Filters Report 176

What are Web Reputation Filters? 176

Adjusting Web Reputation Settings 177

L4 Traffic Monitor Report 177

SOCKS Proxy Report 179

Reports by User Location 179


Viewing the System Capacity Report 181

How to Interpret the Data You See on the System Capacity Page 181

System Capacity - System Load 181

System Capacity - Network Load 182

Note About Proxy Buffer Memory Swapping 182

Data Availability Page 182

Understanding the Web Reporting Pages on the New Web Interface 183

About Time Spent 185

Overview Page 185

Application Visibility Page 187

Layer 4 Traffic Monitor Page 189

SOCKS Proxy Page 191

URL Categories Page 192

Reducing Uncategorized URLs 193

URL Category Set Updates and Reports 193

Using The URL Categories Page in Conjunction with Other Reporting Pages 194

Reporting Misclassified and Uncategorized URLs 194

Users Page 194

User Details Page (Web Reporting) 195

Web Sites Page 198

HTTPS Reports Page 199

Anti-Malware Page 200

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xi

Contents

Malware Category Report 201

Malware Threat Report 201


Advanced Malware Protection Page 203

Advanced Malware Protection - AMP Summary 204

Advanced Malware Protection - File Analysis 204

Client Malware Risk Report 205

Web Reputation Filters Page 206

About Scheduled and On-Demand Web Reports 208

Scheduling Web Reports 209

Storage of Scheduled Web Reports 209

Adding Scheduled Web Reports 210

Editing Scheduled Web Reports 210

Deleting Scheduled Web Reports 210

Additional Extended Web Reports 210

Top URL Categories—Extended 211

Top Application Types—Extended 211

Generating Web Reports on Demand 212

Archived Web Reports Page 213

Viewing and Managing Archived Web Reports 213

Web Tracking 214

Searching for Transactions Processed by Web Proxy Services 214


Searching for Transactions Processed by the L4 Traffic Monitor 218

Searching for Transactions Processed by the SOCKS Proxy 218

Web Tracking on the New Web Interface 219

Searching for Transactions Processed by Web Proxy Services 219


Searching for Transactions Processed by the Layer 4 Traffic Monitor 223

Searching for Transactions Processed by the SOCKS Proxy 223

Working with Web Tracking Search Results 223

Displaying More Web Tracking Search Results 224

Understanding Web Tracking Search Results 224

Viewing Transaction Details for Web Tracking Search Results 224

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xii

Contents

About Web Tracking and Advanced Malware Protection Features 224

About Web Tracking and Upgrades 225

Troubleshooting Web Reporting and Tracking 225

Centralized Reporting Is Enabled Properly But Not Working 226

Advanced Malware Protection Verdict Updates Report Results Differ 226

Issues Viewing File Analysis Report Details 226

File Analysis Report Details Are Not Available 226

Error When Viewing File Analysis Report Details 226

Error When Viewing File Analysis Report Details with Private Cloud Cisco AMP Threat GridAppliance 227

Expected Data Is Missing from Reporting or Tracking Results 227

PDF Shows Only a Subset of Web Tracking Data 227

Troubleshooting L4 Traffic Monitor Reports 227

Exported .CSV file is Different From Web Interface Data 228

Issues Exporting Web Tracking Search Results 228

Tracking Messages 229C H A P T E R 7

Tracking Service Overview 229

Setting Up Centralized Message Tracking 230

Enabling Centralized Email Tracking 230

Enabling Centralized Email Tracking on the Legacy Web Interface 230

Configuring Centralized Message Tracking on Email Security Appliances 231

Adding the Centralized Message Tracking Service to Each Managed Email Security Appliance231

Managing Access to Sensitive Information 232

Checking Message Tracking Data Availability 232

Searching for Email Messages 232

Searching for Email Messages on the New Web Interface 233

Searching for Email Messages on the Legacy Web Interface 235

Narrowing the Result Set 237

About Message Tracking and Advanced Malware Protection Features 238

Understanding Tracking Query Results 238

Message Details 239

Verdict Chart and Last State Verdicts 239

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xiii

Contents

Envelope and Header Summary 240

Sending Host Summary 241

Processing Details 241

Troubleshooting Message Tracking 242

Expected Messages Are Missing from Search Results 242

Attachments Do Not Appear in Search Results 243

Spam Quarantine 245C H A P T E R 8

Overview of the Spam Quarantine 245

Local Versus External Spam Quarantine 245

Setting Up the Centralized Spam Quarantine 246

Enabling and Configuring Spam Quarantine 246

Enabling and Configuring the Spam Quarantine on the Legacy Web Interface 246

Adding the Centralized Spam Quarantine Service to Each Managed Email Security Appliance 248

Configuring an Outbound IP Interface on the Security Management Appliance 249

Configuring the IP Interface for Browser Access to the Spam Quarantine 250

Configuring Administrative User Access to the Spam Quarantine 250

Limiting Which Recipients Have Mail Quarantined 251

Spam Quarantine Language 251

Edit Spam Quarantine Page 251

Using Safelists and Blocklists to Control Email Delivery Based on Sender 252

Message Processing of Safelists and Blocklists 252

Enabling Safelists and Blocklists 253

Enabling Safelists and Blocklists on the Legacy Web Interface 253

External Spam Quarantine and Safelist/Blocklists 253

Adding Senders and Domains to Safelists and Blocklists (Administrators) 254

Syntax for Safelists and Blocklist Entries 258

Clearing All Safelists and Blocklists 259

About End-User Access to Safelists and Blocklists 259

Adding Entries to Safelists (End Users) 259

Adding Senders to Blocklists (End Users) 260

Backing Up and Restoring the Safelist/Blocklist 260

Troubleshooting Safelists and Blocklists 261

Message from Safelisted Sender Was Not Delivered 261

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xiv

Contents

Configuring Spam Management Features for End Users 262

Authentication Options for End Users Accessing Spam Management Features 262

LDAP Authentication Process 263

IMAP/POP Authentication Process 264

SAML 2.0 Authentication Process 264

Setting Up End-User Access to the Spam Quarantine via Web Browser 264

Configuring End-User Access to the Spam Quarantine 265

Determining the URL for End-User Access to the Spam Quarantine 266

Which Messages an End User Sees 266

Notifying End Users About Quarantined Messages 267

Recipient Email Mailing List Aliases and Spam Notifications 269

Testing Notifications 270

Troubleshooting Spam Notifications 270

Managing Messages in the Spam Quarantine 271

Accessing the Spam Quarantine (Administrative Users) 271

Accessing the Spam Quarantine (Administrative Users) 271

Searching for Messages in the Spam Quarantine 271

Searching Very Large Message Collections 272

Viewing Messages in the Spam Quarantine 272

Delivering Messages in the Spam Quarantine 272

Deleting Messages from the Spam Quarantine 273

Disk Space for the Spam Quarantine 273

About Disabling the External Spam Quarantine 273

Troubleshooting Spam Quarantine Features 273

Centralized Policy, Virus, and Outbreak Quarantines 275C H A P T E R 9

Overview of Centralized Quarantines 275

Quarantine Types 276

Centralizing Policy, Virus, and Outbreak Quarantines 277

Enabling Centralized Policy, Virus, and Outbreak Quarantines on the SecurityManagement Appliance279

Enabling Centralized Policy, Virus, and Outbreak Quarantines on the New Web Interface of theAppliance 280

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xv

Contents

Adding the Centralized Policy, Virus, and Outbreak Quarantine Service to Each Managed EmailSecurity Appliance 280

Configuring Migration of Policy, Virus, and Outbreak Quarantines 281

Designating an Alternate Appliance to Process Released Messages 283

Configuring Centralized Quarantine Access for Custom User Roles 283

Disabling Centralized Policy, Virus, and Outbreak Quarantines 283

Releasing Messages When an Email Security Appliance Is Unavailable 284

Managing Policy, Virus, and Outbreak Quarantines 284

Disk Space Allocation for Policy, Virus, and Outbreak Quarantines 284

Retention Time for Messages in Quarantines 285

Default Actions for Automatically Processed Quarantined Messages 286

Checking the Settings of System-Created Quarantines 286

Configuring Policy, Virus, and Outbreak Quarantines 286

About Editing Policy, Virus, and Outbreak Quarantine Settings 288

Determining the Filters and Message Actions to Which a Policy Quarantine Is Assigned 289

About Deleting Policy Quarantines 289

Monitoring Quarantine Status, Capacity, and Activity 289

Alerts About Quarantine Disk-Space Usage 291

Policy Quarantines and Logging 291

About Distributing Message Processing Tasks to Other Users 292

Which User Groups Can Access Policy, Virus, and Outbreak Quarantines 292

Working with Messages in Policy, Virus, or Outbreak Quarantines 292

Viewing Messages in Quarantines 293

Quarantined Messages and International Character Sets 294

Searching for Messages in Policy, Virus, and Outbreak Quarantines 294

Modifying Search Criteria 294

Manually Processing Messages in a Quarantine 295

Sending a Copy of the Message 295

About Moving Messages Between Policy Quarantines 296

Messages in Multiple Quarantines 296

Message Details and Viewing Message Content 296

Viewing Matched Content 297

Downloading Attachments 298

About Rescanning of Quarantined Messages 298

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xvi

Contents

The Outbreak Quarantine 299

Rescanning Messages in an Outbreak Quarantine 299

Rule Summary View 299

Manage by Rule Summary Link 300

Reporting False Positives or Suspicious Messages to Cisco Systems 300

Troubleshooting Centralized Policy Quarantines 300

Administrative User Cannot Choose Quarantines in Filters and DLP Message Actions 300

Messages Released from a Centralized Outbreak Quarantine Are Not Rescanned 300

Managing Web Security Appliances 301C H A P T E R 1 0

About Centralized Configuration Management 301

Determining the Correct Configuration Publishing Method 301

Using Configuration Masters to Centrally Manage Web Security Appliances 302

Important Notes About Using Configuration Masters 305

Determine the Configuration Master Versions to Use 305

Enabling Centralized Configuration Management on the Security Management Appliance 305

Initializing and Configuring Configuration Masters 306

Initializing Configuration Masters 306

About Associating Web Security Appliances to Configuration Masters 306

Adding Web Security Appliances and Associating Them with Configuration Master Versions307

Associating Configuration Masters to Web Security Appliances 308

Configuring Sub Configuration Masters 308

Viewing Associated Configuration Masters in the Appliance List 309

Deleting Sub Configuration Masters 309

Selecting the Sub Configuration Master as the Active Configuration 309

Configuring Settings to Publish 310

Importing from an Existing Configuration Master 310

Importing Settings from a Web Security Appliance 311

Configuring Web Security Features Directly in Configuration Masters 311

Ensuring that Features are Enabled Consistently 313

Comparing Enabled Features 314

Enabling Features to Publish 314

Disabling Unused Configuration Masters 315

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xvii

Contents

Setting Up to Use Advanced File Publishing 316

Publishing Configurations to Web Security Appliances 316

Publishing a Configuration Master 316

Before You Publish a Configuration Master 316

Publishing a Configuration Master Now 318

Publishing a Configuration Master Later 319

Publishing a Configuration Master Using the Command Line Interface 319

Publishing Configurations Using Advanced File Publishing 320

Advanced File Publish: Publish Configuration Now 320

Advanced File Publish: Publish Later 321

Viewing Status and History of Publishing Jobs 321

Viewing Publish History 321

Centralized Upgrade Management 322

Setting Up Centralized Upgrade Management for Web Security Appliances 322

Enable the Centralized Upgrade Manager 322

Adding the Centralized Upgrade Service to Each Managed Web Security Appliance 323

Selecting and Downloading WSA Upgrades 324

Using the Install Wizard 325

Viewing Web Security Appliance Status 326

Viewing a Summary of Status of Web Appliances 326

Viewing Status of Individual Web Security Appliances 326

Web Appliance Status Details 327

Preparing For and Managing URL Category Set Updates 327

Understand the Impacts of URL Category Set Updates 327

Ensure That You Will Receive Notifications and Alerts about URL Category Set Updates 328

Specify Default Settings for New and Changed Categories 328

When the URL Category Set is Updated, Check Your Policy and Identity/Identification ProfileSettings 328

Application Visibility and Control (AVC) Updates 328

Troubleshooting Configuration Management Issues 329

In Configuration Master Identities/Identification Profiles, Groups Are Not Available 329

Configuration Master Access Policies Web Reputation and Anti-Malware Settings Page Settings areNot as Expected 329

Troubleshooting Issues when Importing Existing Configuration for Configuration Masters 329

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xviii

Contents

Troubleshooting Configuration Publishing Failures 330

Monitoring System Status 331C H A P T E R 1 1

About Security Management Appliance Status 331

Monitoring Security Management Appliance Capacity 332

Monitoring the Processing Queue 332

Monitoring CPU Utilization 332

Monitoring Status of Data Transfer From Managed Appliances 333

Viewing the Configuration Status of Your Managed Appliances 334

Additional Status Information for Web Security Appliances 335

Monitoring Reporting Data Availability Status 335

Monitoring Email Security Reporting Data Availability 335

Monitoring Web Security Reporting Data Availability 335

Monitoring Email Tracking Data Status 336

Monitoring Capacity of Managed Appliances 336

Identifying Active TCP/IP Services 336

Replacing a Managed Appliance During Hardware Failure 336

Integrating With LDAP 337C H A P T E R 1 2

Overview 337

Configuring LDAP to Work with the Spam Quarantine 337

Creating the LDAP Server Profile 338

Testing LDAP Servers 340

Configuring LDAP Queries 340

LDAP Query Syntax 340

Tokens 340

Spam Quarantine End-User Authentication Queries 341

Sample Active Directory End-User Authentication Settings 341

Sample OpenLDAP End-User Authentication Settings 342

Spam Quarantine Alias Consolidation Queries 342

Sample Active Directory Alias Consolidation Settings 343

Sample OpenLDAP Alias Consolidation Settings 343

Testing LDAP Queries 344

Domain-Based Queries 344

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xix

Contents

Creating a Domain-Based Query 344

Chain Queries 345

Creating a Chain Query 346

Configuring AsyncOS to Work With Multiple LDAP Servers 347

Testing Servers and Queries 347

Failover 347

Configuring the Cisco Content Security Appliance for LDAP Failover 348

Load Balancing 348

Configuring the Cisco Content Security Appliance for Load Balancing 348

Configuring External Authentication of Administrative Users Using LDAP 349

User Accounts Query for Authenticating Administrative Users 350

Group Membership Queries for Authenticating Administrative Users 350

Enabling External Authentication of Administrative Users 352

Configuring SMTP Routing 353C H A P T E R 1 3

SMTP Routes Overview 353

SMTP Routes, Mail Delivery, and Message Splintering 354

SMTP Routes and Outbound SMTP Authentication 354

Routing Email for Local Domains 354

Default SMTP Route 354

Managing SMTP Routes 355

Defining an SMTP Route 355

SMTP Routes Limits 355

Adding SMTP Routes 355

Exporting SMTP Routes 356

Importing SMTP Routes 356

SMTP Routes and DNS 357

Integrating with Cisco Threat Response 359C H A P T E R 1 4

Integrating Your Appliance with Cisco Threat Response 359

Integrating with Cisco Threat Response 359

Integrating the Appliance with Cisco Threat Response using CLI 361

threatresponseconfig 361

cloudserviceconfig 362

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xx

Contents

Performing Threat Analysis using Casebooks 364

Obtaining Client ID and Client Password Credentials 364

Adding Observable to Casebook for Threat Analysis 366

Distributing Administrative Tasks 369C H A P T E R 1 5

About Distributing Administrative Tasks 369

Assigning User Roles 369

Predefined User Roles 369

Custom User Roles 372

About Custom Email User Roles 372

About Custom Web User Roles 375

Deleting Custom User Roles 377

User Roles with Access to the CLI 377

Using LDAP 377

Access to Quarantines 378

Users Page 378

About Authenticating Administrative Users 378

Changing the Admin User’s Passphrase 378

Changing the User’s Passphrase After Expiry 379

Managing Locally-Defined Administrative Users 379

Adding Locally-Defined Users 379

Editing Locally-Defined Users 380

Deleting Locally-Defined Users 380

Viewing the List of Locally-Defined Users 381

Setting and Changing Passphrases 381

Setting Passphrase and Login Requirements 381

Requiring Users to Change Passphrase on Demand 384

Locking and Unlocking Local User Accounts 385

External User Authentication 386

Configuring LDAP Authentication 386

Enabling RADIUS Authentication 386

Two-Factor Authentication 389

Enabling Two-Factor Authentication 389

Disabling Two-Factor Authentication 390

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxi

Contents

Adding an Email or Web Security appliance over SSH with Pre-Shared Keys 390

Additional Controls on Access to the Security Management Appliance 391

Configuring IP-Based Network Access 391

Direct Connections 391

Connecting Through a Proxy 392

Creating the Access List 392

Configuring the Web UI Session Timeout 394

Configuring the CLI Session Timeout 395

Controlling Access to Sensitive Information in Message Tracking 395

Displaying a Message for Administrative Users 396

Viewing Administrative User Activity 396

Viewing Active Sessions Using the Web 396

Viewing Your Recent Login Attempts 397

Viewing Administrative User Activity via the Command Line Interface 397

Troubleshooting Administrative User Access 397

Error: User Has No Access Privileges Assigned 397

User Has No Active Menus 398

Externally-Authenticated Users See Preferences Option 398

Common Administrative Tasks 399C H A P T E R 1 6

Performing Administrative Tasks 399

Cisco Content Security Management Appliances Licensing 400

Working with Feature Keys 400

Virtual Appliance Licensing and Feature Keys 400

Smart Software Licensing 400

Overview 401

Enabling Smart Software Licensing 402

Registering the Appliance with Cisco Smart Software Manager 403

Requesting for Licenses 404

Deregistering the Appliance from Smart Cisco Software Manager 404

Reregistering the Appliance with Smart Cisco Software Manager 405

Changing Transport Settings 405

Renewing Authorization and Certificate 405

Updating Smart Agent 406

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxii

Contents

Alerts 406

Command Line Interface 406

Performing Maintenance Tasks Using CLI Commands 411

Shutting Down the Security Management Appliance 411

Rebooting the Security Management Appliance 411

Taking the Security Management Appliance Out of Service 412

CLI Examples: suspend and suspendtransfers Commands 412

Resuming from a Suspended State 413

CLI Examples: resume and resumetransfers Commands 413

Resetting the Configuration to Factory Defaults 413

The resetconfig Command 414

Displaying the Version Information for AsyncOS 414

Enabling Remote Power Cycling 414

Monitoring System Health Using SNMP 415

Example: snmpconfig Command 416

Backing Up Security Management Appliance Data 417

What Data Is Backed Up 418

Restrictions and Requirements for Backups 418

Backup Duration 419

Availability of Services During Backups 419

Interruption of a Backup Process 420

Prevent the Target Appliance From Pulling Data Directly from Managed Appliances 420

Receiving Alerts About Backup Status 420

Scheduling Single or Recurring Backups 421

Starting an Immediate Backup 421

Checking Backup Status 422

Backup Information in Log Files 422

Other Important Backup Tasks 423

Making a Backup Appliance the Primary Appliance 423

Disaster Recovery on the Security Management Appliance 424

Upgrading Appliance Hardware 426

Upgrading AsyncOS 426

Batch Commands for Upgrades 426

Determining Network Requirements for Upgrades and Updates 426

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxiii

Contents

Choosing an Upgrade Method: Remote vs. Streaming 427

Streaming Upgrade Overview 427

Remote Upgrade Overview 427

Hardware and Software Requirements for Remote Upgrades 428

Hosting a Remote Upgrade Image 429

Important Differences in Remote Upgrading Method 429

Configuring Upgrade and Service Update Settings 429

Upgrade and Update Settings 430

Static Upgrade and Update Server Settings for Environments with Strict Firewall Policies 431

Configuring the Update and Upgrade Settings from the GUI 433

Upgrade Notifications 434

Before You Upgrade: Important Steps 434

Upgrading AsyncOS 434

Viewing Status of, Canceling, or Deleting a Background Download 436

After Upgrading 437

About Reverting to an Earlier Version of AsyncOS 437

Important Note About Reversion Impact 437

Reverting AsyncOS 437

About Updates 439

About URL Category Set Updates for Web Usage Controls 439

Configuring the Return Address for Generated Messages 439

Managing Alerts 439

Alert Types and Severities 440

Alert Delivery 440

Viewing Recent Alerts 441

About Duplicate Alerts 441

Cisco AutoSupport 441

Hardware Alert Descriptions 442

System Alert Descriptions 442

Changing Network Settings 446

Changing the System Hostname 446

The sethostname Command 446

Configuring Domain Name System Settings 446

Specifying DNS Servers 447

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxiv

Contents

Multiple Entries and Priority 447

Using the Internet Root Servers 447

Reverse DNS Lookup Timeout 448

DNS Alert 448

Clearing the DNS Cache 448

Configuring DNS Settings via the Graphical User Interface 448

Configuring TCP/IP Traffic Routes 449

Managing Static Routes in the GUI 449

Modifying the Default Gateway (GUI) 449

Configuring the Default Gateway 449

Specifying a Secure Communication Protocol 449

Configuring the System Time 450

Using a Network Time Protocol (NTP) Server 451

(Recommended) Setting Appliance System Time Using the Network Time Protocol (NTP) 451

Selecting a GMT Offset 451

Updating Time Zone Files 452

Automatically Updating Time Zone Files 452

Manually Updating Time Zone Files 452

Configuration File Page 452

Saving and Importing Configuration Settings 453

Managing Configuration Files 453

Saving and Exporting the Current Configuration File 453

Loading a Configuration File 454

Resetting the Current Configuration 456

Rolling Back to a Previously Committed Configuration 456

CLI Commands for Configuration Files 456

The showconfig, mailconfig, and saveconfig Commands 457

The loadconfig Command 458

The rollbackconfig Command 458

The publishconfig Command 458

The trailblazerconfig Command 458

Uploading Configuration Changes Using the CLI 459

Managing Disk Space 460

(Virtual Appliances Only) Increasing Available Disk Space 460

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxv

Contents

Viewing Disk Space, Quotas and Usage 461

About Disk Space Maximums and Allocations 461

Ensuring That You Receive Alerts About Disk Space 462

Managing Disk Space for the Miscellaneous Quota 462

Reallocating Disk Space Quotas 462

Adjusting the Reference Threshold in System Health Graphs for Email Security Appliances 463

SSO Using SAML 2.0 463

About SSO and SAML 2.0 464

SAML 2.0 SSO Workflow 464

Guidelines and Limitations for SAML 2.0 465

Logout 465

General 465

Spam Quarantine Access for Administrators 465

How to Configure SSO for Spam Quarantine 465

Prerequisites 466

Configure Cisco Content Security Management Appliance as a Service Provider 466

Configure the Identity Provider to Communicate with Cisco Content Security ManagementAppliance 468

Configure Identity Provider Settings on Cisco Content Security Management Appliance 469

Enable SSO for Spam Quarantine 470

Customizing Your View 471

Using Favorite Pages 471

Setting Preferences 471

General Settings 472

Monitoring Web Usage Analytics 472

Improving Web Interface Rendering 472

Restarting and Viewing Status of Services Enabled on Appliance 473

Logging 475C H A P T E R 1 7

Logging Overview 475

Logging Versus Reporting 475

Log Retrieval 475

Filename and Directory Structure 476

Log Rollover and Transfer Schedule 476

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxvi

Contents

Timestamps in Log Files 477

Logs Enabled by Default 477

Log Types 478

Summary of Log Types 478

Log Type Comparison 481

Using Configuration History Logs 482

Using CLI Audit Logs 483

Using FTP Server Logs 483

Using HTTP Logs 484

Using Spam Quarantine Logs 485

Using Spam Quarantine GUI Logs 485

Using Text Mail Logs 486

Sample Text Mail Log 486

Examples of Text Mail Log Entries 488

Generated or Rewritten Messages 490

Sending a Message to the Spam Quarantine 490

Using NTP Logs 491

Using Reporting Logs 491

Using Reporting Query Logs 492

Using Safelist/Blocklist Logs 493

Using SMA Logs 493

Using Status Logs 494

Using System Logs 496

Understanding Tracking Logs 497

Log Subscriptions 497

Configuring Log Subscriptions 497

Setting the Log Level 498

Creating a Log Subscription in the GUI 499

Editing Log Subscriptions 499

Configuring Global Settings for Logging 500

Logging Message Headers 500

Configuring Global Settings for Logging by Using the GUI 501

Rolling Over Log Subscriptions 501

Rolling Over Logs in Log Subscriptions 502

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxvii

Contents

Rolling Over Logs Immediately Using the GUI 502

Rolling Over Logs Immediately via the CLI 502

Viewing the Most Recent Log Entries in the GUI 502

Viewing the Most Recent Entries in Logs (tail Command) 502

Configuring Host Keys 503

Troubleshooting 507C H A P T E R 1 8

Collecting System Information 507

Troubleshooting Hardware Issues 507

Troubleshooting Feature Setup Issues 507

General Troubleshooting Resources 508

Troubleshooting Issues with Specific Functionality 508

Responding to Alerts 509

Alert: Battery Relearn Timed Out (RAID Event) on 380 or 680 Hardware 509

Additional Alert Descriptions 509

Working with Technical Support 509

Opening or Updating a Support Case from the Appliance 509

Getting Support for Virtual Appliances 510

Enabling Remote Access for Cisco Technical Support Personnel 510

Enabling Remote Access to Appliances With an Internet Connection 511

Enabling Remote Access to Appliances Without a Direct Internet Connection 511

Disabling a Tech Support Tunnel 512

Disabling Remote Access 512

Checking the Status of the Support Connection 512

Running a Packet Capture 512

Remotely Resetting Appliance Power 513

IP Interfaces and Accessing the Appliance 515A P P E N D I X A

IP Interfaces and Accessing the Appliance 515

IP Interfaces 515

Configuring IP Interfaces 516

Creating IP Interfaces Using the GUI 516

Accessing the Appliance via FTP 517

Secure Copy (scp) Access 519

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxviii

Contents

Accessing via a Serial Connection 519

Pinout Details for the Serial Port in 80- and 90- Series Hardware 520

Pinout Details for the Serial Port in 70-Series Hardware 520

Assigning Network and IP Addresses 523A P P E N D I X B

Ethernet Interfaces 523

Selecting IP Addresses and Netmasks 523

Sample Interface Configurations 524

IP Addresses, Interfaces, and Routing 524

Summary 525

Strategies for Connecting Your Content Security Appliance 525

Firewall Information 527A P P E N D I X C

Firewall Information 527

Web Security Management Examples 531A P P E N D I X D

Web Security Management Examples 531

Web Security Appliance Examples 531

Example 1: Investigating a User 531

Example 2: Tracking a URL 533

Example 3: Investigating Top URL Categories Visited 533

Additional Resources 535A P P E N D I X E

Cisco Notification Service 535

Documentation 535

Third Party Contributors 536

Training 536

Knowledge Base Articles (TechNotes) 537

Cisco Support Community 537

Customer Support 537

Registering for a Cisco Account 537

Cisco Welcomes Your Comments 538

End User License Agreement 539A P P E N D I X F

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxix

Contents

Cisco Systems End User License Agreement 539

Supplemental End User License Agreement for Cisco Systems Content Security Software 545

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)xxx

Contents

C H A P T E R 1Introduction

This chapter contains the following sections:

• What's New in this Release, on page 1• Cisco Content Security Management Overview, on page 3

What's New in this ReleaseThis section describes the new features and enhancements in this release of AsyncOS for Cisco ContentSecurity Management.

Table 1: What's New in AsyncOS 12.x

DescriptionFeature

The AsyncOS 12.5.0 release for Cisco Content SecurityManagement appliancesupports the following hardware models:

• M195

• M395

• M695

For details, see https://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet_C78-721194.html

Support for new hardwaremodels

You can now configure subsets of a particular version of the ConfigurationMaster to centrally manage the different policy configurations of your WebSecurity appliance.

For more information, see Managing Web Security Appliances, on page 301.

Managing Multiple Subsetof Configuration Masters

User Guide for AsyncOS 12.5 for Cisco Content Security Management Appliances - GD (General Deployment)1

https://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet_C78-721194.htmlhttps://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet_C78-721194.html

DescriptionFeature

The Cisco Content Security Management appliance now includes the casebookand pivot menu widgets.

If you are using the Microsoft Internet Explorer browser to accessyour appliance, you will not be able to use the casebook widget.

Note

You can perform the following actions in your appliance using the casebookand pivot menu widgets:

• Add an observable to a casebook to investigate for threat analysis.

• Pivot an observable to a new case, an existing case, or other devicesregistered in the Cisco Threat Response portal (for example, AMP forEndpoints, Cisco Umbrella, Cisco Talos Intelligence, and so on) toinvestigate for threat analysis.

For more information, see Integrating with Cisco Threat Response, on page359.

Performing Threat Analysisusing Casebooks

When registering your appliance with the Cisco Threat Response portal, youcan now choose a Cisco Threat Response server to connect your appliance tothe Cisco Threat Response portal.

The following are the Cisco Threat Response servers that are supported for thisrelease:

• AMERICAS (api-sse.cisco.com)

• EUROPE (api.eu.sse.itd.cisco.com)

For more information, see Integrating with Cisco Threat Response, on page359.

Ability to choose CiscoThreat Response serverwhen registering appliancewith Cisco Threat Responseportal

You can create a custom report page by assembling charts (graphs) and tablesfrom all your existing email security reports on the new web interface of yourappliance.

For more information, see Working With Reports on the New Web Interface,on page 33.

My Reports page on theNew Web Interface

You can now configure Policy, Virus or Outbreak Quarantine from the newweb interface of your appliance.

For more information, see Centralized Policy, Virus, and Outbreak Quarantines,on page 275.

Configuring Policy, Virusand Outbreak Quarantineon the New Web Interface

Swagger is a set of open-source tools built around the OpenAPI Specification.

Swagger UI helps you to design and manage AsyncOS API resources on a webinterface.

For more information, see Setup, Installation, and Basic Configuration, on page5

Managing APIs usingSwagger UI


IntroductionWhat's New in this Release

DescriptionFeature

You can enable or disable your website usage or activity from being sent forstatistical analysis.

For more information, see Common Administrative Tasks, on page 399.

Monitoring Web UsageAnalytics

Cisco Content Security Management OverviewAsyncOS for Cisco Content Security Management incorporates the following features:

• External Spam Quarantine:Hold spam and suspected spam messages for end users, and allow endusers and administrators to reviewmessages that are flagged as spam before making a final determination.

• Centralized Policy, Virus, and Outbreak Quarantines: Provide a single interface for managing thesequarantines and the messages quarantined in them from multiple Email Security appliances. Allows youto store quarantined messages behind the firewall.

• Centralized reporting:Run reports on aggregated data frommultiple Email andWeb Security appliances.The same reporting features available on individual appliances are available on Security Managementappliances.

• Centralized tracking: Use a single interface to track email messages and web transactions that wereprocessed by multiple Email and Web Security appliances.

• Centralized Configuration Management for Web Security appliances: For simplicity and consistency,manage policy definition and policy deployment for multiple Web Security appliances.

The Security Management appliance is not involved in centralized emailmanagement, or ‘clustering’ of Email Security appliances.

Note

• Centralized Upgrade Management:You can simultaneously upgrade multipleWeb Security appliances(WSAs) using a single Security Management Appliance (SMA).

• Backup of data: Back up the data on your Security Management appliance, including reporting andtracking data, quarantined messages, and lists of safe and blocked senders.

You can coordinate your security operations from a single Security Management appliance or spread the loadacross multiple appliances.


IntroductionCisco Content Security Management Overview


IntroductionCisco Content Security Management Overview

C H A P T E R 2Setup, Installation, and Basic Configuration

This chapter contains the following sections:

• Solution Deployment Overview, on page 5• SMA Compatibility Matrix, on page 6• Installation Planning , on page 6• Preparing for Setup , on page 7• Accessing the Security Management Appliance , on page 9• Accessing the Security Management Appliance API Interface Using Swagger UI, on page 13• Running the System Setup Wizard, on page 13• About Adding Managed Appliances, on page 17• Configuring Services on the Security Management Appliance, on page 18• Committing and Abandoning Configuration Changes , on page 19

Solution Deployment OverviewTo configure your Cisco Content Security Management appliance to provide service to your Cisco ContentSecurity solution:

More InformationDo ThisOn These Appliances

See the SMA Compatibility Matrix,on page 6.

Ensure that your appliances meet the systemrequirements for the features you will use. Ifnecessary, upgrade your appliances.

All appliancesStep 1

See the documentation for yourCisco Email Security release.

Before you introduce centralized services toyour environment, configure all Email Securityappliances to provide the security features youwant, and verify that all features are workingas expected on each appliance.

Email Security appliancesStep 2

See the AsyncOS for Cisco WebSecurity Appliances User Guide.

Before you introduce centralized services toyour environment, configure at least one WebSecurity appliance to provide the securityfeatures you want, and verify that all featuresare working as expected.

Web Security appliancesStep 3


More InformationDo ThisOn These Appliances

See the Installation Planning , onpage 6, Preparing for Setup , onpage 7 and the Running the SystemSetup Wizard, on page 13.

Set up the appliance and run the System SetupWizard.

Security Managementappliance

Step 4

Start with the Configuring Serviceson the Security ManagementAppliance, on page 18.

Configure each centralized service that youwant to deploy.

All appliancesStep 5

SMA Compatibility MatrixFor compatibility of your Security Management appliance with Email Security appliances and Web Securityappliances, and for compatibility of configuration files when importing and publishingWeb Security applianceconfigurations, see the Compatibility Matrix athttp://www.cisco.com/c/en/us/support/security/content-security-management-appliance/products-release-notes-list.html.

Installation Planning• Network Planning , on page 6• About Integrating a Security Management Appliance with Email Security Appliances , on page 7• Deployments with Clustered Email Security Appliances , on page 7

Network PlanningThe Security Management appliance lets you separate end user applications from the more secure gatewaysystems residing in your demilitarized zones (DMZs). Using a two-layer firewall can provide flexibility innetwork planning so that end users do not connect directly to the outer DMZ .

Figure 1: Typical Network Configuration Incorporating the Security Management appliance

The following figure shows a typical network configuration incorporating the SecurityManagement applianceand multiple DMZs. You deploy the Security Management appliance outside your DMZ, in your internal


Setup, Installation, and Basic ConfigurationSMA Compatibility Matrix

http://www.cisco.com/c/en/us/support/security/content-security-management-appliance/products-release-notes-list.html

networks. All connections are initiated by the Security Management appliances (M-Series) to the managedEmail Security appliances (C-Series) and managed Web Security appliances (S-Series).

Corporate data centers can share a Security Management appliance to perform centralized reporting andmessage tracking for multiple Web and Email Security appliances, and centralized policy configuration formultiple Web Security appliances. The Security Management appliance can also be used as an external spamquarantine.

After you connect the Email Security appliance and the Web Security appliances to a Security Managementappliance and properly configure all appliances, AsyncOS gathers and aggregates data from the managedappliances. From the aggregated data, reports can be generated and an overall view of email and web usagecan be determined.

About Integrating a Security Management Appliance with Email SecurityAppliances

Additional information about integrating the Security Management appliance with your Email Securityappliances, see the “Centralizing Services on a Cisco Content Security Management Appliance” chapter inthe user documentation or online help for your Email Security appliance.

Deployments with Clustered Email Security AppliancesThe Security Management appliance cannot be placed in a cluster of Email Security appliances that are usingthe email appliances’ centralized management feature. However, clustered Email Security appliances candeliver messages to the SecurityManagement appliance for centralized reporting and tracking and to quarantinemessages.

Preparing for SetupBefore you run the System Setup Wizard:

Step 1 Review the latest release notes for your product. See Network Planning , on page 6.Step 2 Verify that the components of your security solution are compatible. See the SMA Compatibility Matrix, on page 6.Step 3 Ensure that your network and physical space are ready to support this deployment. See Installation Planning , on page

6.Step 4 Physically set up and connect the SecurityManagement appliance. See Physically Setting Up and Connecting the Appliance

, on page 7.Step 5 Determine network and IP address assignments. See Determining Network and IP Address Assignments, on page 8.Step 6 Gather information about your system setup. See Gathering the Setup Information, on page 8.

Physically Setting Up and Connecting the ApplianceBefore you follow the procedures in this chapter, complete the steps described in the quick start guide thatcame with your appliance. In this guide, it is assumed that you have unpacked the appliance, physicallyinstalled it in a rack, and turned it on.


Setup, Installation, and Basic ConfigurationAbout Integrating a Security Management Appliance with Email Security Appliances

Before you can log in to the GUI, you need to set up a private connection between a PC and the SecurityManagement appliance. For example, you can use the included crossover cable to connect directly from theManagement port on the appliance to a laptop. Optionally, you can connect through an Ethernet connectionbetween a PC and the network (for example, an Ethernet hub) and between the network and the Managementport on the Security Management appliance.

Determining Network and IP Address Assignments

If you have already cabled your appliance to your network, ensure that the default IP address for the contentsecurity appliance does not conflict with other IP addresses on your network. The IP address that ispre-configured on the Management port of each appliance is 192.168.42.42.

Note

After setup, go to the Management Appliance > Network > IP Interfaces page on the main SecurityManagement appliance to change the interface that the Security Management appliance uses.

You need the following network information about each Ethernet port that you choose to use:

• IP address• Netmask

In addition, you need the following information about your overall network:

• IP address of the default router (gateway) on your network• IP address and hostname of your DNS servers (not required if you want to use Internet root servers)• Hostname or IP address of your NTP servers (not required if you want to manually set system time)

For more information, see Assigning Network and IP Addresses, on page 523.

If you are running a firewall on your network between the Internet and the content security appliance, it maybe necessary to open specific ports for the appliance to work properly. For more information on firewalls, seeFirewall Information, on page 527

Always use the same IP address on the Security Management appliance for receiving and sending emailmessages to the Email Security appliances. For an explanation, see information about Mail Flow in thedocumentation for your Email Security appliance.

Note

Note that IPv6 is not supported for communication between the Cisco Content SecurityManagement applianceand the appliances it manages.

Gathering the Setup InformationUse the following table to gather information about system setup. You will need this information at handwhile running the System Setup Wizard.

See the Assigning Network and IP Addresses, on page 523 for detailed information about network and IPaddresses.

Note


Setup, Installation, and Basic ConfigurationDetermining Network and IP Address Assignments

The following table shows the system setup worksheet

Email address where system alerts are sent:Notifications1

NTP Server (IP address or hostname):System Time2

Choose a new passphrase for the “admin” account:Admin Passphrase3

Enable AutoSupport? ___ Yes ___ NoAutoSupport4

Fully qualified hostname of the Security Management appliance:Hostname5

IP address:Interface / IP Address6

Netmask:

Default Gateway (router) IP address:GatewayNetwork7

___ Use the Internet’s root DNS serversDNS

___ Use these DNS servers:

Accessing the Security Management ApplianceThe Security Management appliance has a standard web-based graphical user interface, a separate web-basedinterface for managing the spam quarantine, a command-line interface, and special or limited web interfacesfor administrative users granted access to specific features and functionality.

• Browser Requirements, on page 9

• About Accessing the Web Interfaces , on page 10

• Accessing the Legacy Web Interface, on page 12

• Accessing the Web Interface , on page 11

• Accessing the Command Line Interface, on page 12

• Supported Languages, on page 12

Browser RequirementsTo access the GUI, your browser must support and be enabled to accept JavaScript and cookies, and it mustbe able to render HTML pages containing Cascading Style Sheets (CSS).

Table 2: Supported Browsers and Releases

MacOS 10.6Windows 7Browser

7.0 and later—Safari

Latest StableVersion


Google Chrome


Setup, Installation, and Basic ConfigurationAccessing the Security Management Appliance

MacOS 10.6Windows 7Browser

—11.0Microsoft Internet Explorer



Mozilla Firefox

• Internet Explorer 11.0 (Windows 7 only)

• Safari (7 and later)

• Firefox (Latest Stable Version)

• Google Chrome (Latest Stable Version)

Browsers are supported only for operating systems officially supported by the browser.

You may need to configure your browser’s pop-up blocking settings in order to use the GUI, because somebuttons or links in the interface will cause additional windows to open.

For a seamless navigation and rendering of HTML pages, Cisco recommends using the following browsersto access the new web interface of the appliance (AsyncOS 12.0 and later):

• Google Chrome (Latest Stable Version)

• Mozilla Firefox (Latest Stable Version)

You can access the legacy web interface of the appliance on any of the supported browsers.

The supported resolution for the new web interface of the appliance (AsyncOS 12.0 and later) is between1280x800 and 1680x1050. The best viewed resolution is 1440x900, for all the browsers.

Cisco does not recommend viewing the new web interface of the appliance on higher resolutions.Note

About Accessing the Web InterfacesThe Security Management appliance has two web interfaces: the standard administrator interface, availableby default on port 80, and the spam quarantine end user interface, available by default on port 82. The spamquarantine HTTPS interface defaults to port 83 when enabled.

Because you can specify HTTP or HTTPS when configuring each of the web interfaces (go to ManagementAppliance > Network > IP Interfaces on the Security Management appliance), you may be asked toreauthenticate if you switch between the two during your session. For example, if you access the admin webinterface through HTTP on port 80 and then, in the same browser, access the spam quarantine end user webinterface through HTTPS on port 83, you are asked to reauthenticate if you return to the admin web interface.


Setup, Installation, and Basic ConfigurationAbout Accessing the Web Interfaces

- When accessing the GUI, do not use multiple browser windows or tabs simultaneously to make changes tothe Security Management appliance. Do not use concurrent GUI and CLI sessions either. Doing so will causeunexpected behavior and is not supported.

- By default, your session times out if you are idle for more than 30minutes or if you close the browser withoutlogging out. If this happens, you must reenter your user name and passphrase. To change the timeout limit,see Configuring the Web UI Session Timeout, on page 394.

Note

Accessing the Web Interface

Step 1 Open your web browser and enter the IP address or host name of your appliance.Step 2 [New Web Interface Only] You can access the new web interface in any one of the following ways:

The new web interface of your appliance uses AsyncOS API HTTP/HTTPS ports (6080/6443) and trailblazerHTTPS port (4431). You can use the trailblazerconfig command in the CLI to configure the trailblazerHTTPS ports. Make sure that the trailblazer HTTPS port is opened on the firewall.

Note

• When trailblazerconfig CLI command is enabled, use the following URL -https://example.com:/ng-login

where example.com is the appliance host name and is the trailblazer HTTPS portconfigured on the appliance.

For more information on the trailblazerconfig CLI command, seeThe trailblazerconfig Command, on page 458.

• When trailblazerconfig CLI command is disabled, use the following URL -https://example.com:/ng-login

where example.com is the appliance host name and is the HTTPS port configured on the appliance.

• Log in to the legacy web interface and click Security Management appliance is getting a new look. Try it!! linkto access the new web interface.

• Make sure that AsyncOS API is enabled on the appliance.

• You must login to the legacy web interface of the appliance.

• If trailblazerconfig is enabled, the configured HTTPS port must be opened on the firewall. The defaultHTTPS port is 4431.

Also ensure that your DNS server can resolve the hostname that you specified for accessing the appliance.

• If trailblazerconfig is disabled, the AsycnOS API ports configured in Management Appliance >Network > IP Interfaces, are opened on the firewall. The default AsyncOS API HTTP/HTTPS port is6080/6443.

Important

Step 3 Enter the following default values:

• User name: admin

• Passphrase: ironport


Setup, Installation, and Basic ConfigurationAccessing the Web Interface

This passphrase is NOT valid after you complete the System Setup Wizard, either using the web interface orthe command-line interface.

Note

Accessing the Legacy Web Interface

Youmust login to the SecurityManagement Appliance to access the legacyweb interface. Formore information,see Accessing the Web Interface , on page 11

Note

To enable and configure reporting, message tracking, quarantines, network access, and monitor system status,you must access the legacy web interface.

To access the legacy web interface from the new web interface, click on the gear icon as shown in thefollowing figure:

Figure 2: Accessing the Legacy Web Interface from the

The legacy web interface opens in a new browser window. You must log in again to access it.

If you want to log out of the appliance completely, you need to log out of both the new and legacy webinterfaces of your appliance.

Accessing the Command Line InterfaceThe command line interface, or CLI, is accessed on the Security Management appliance in the same way thatthe CLI is accessed on all Cisco Content Security appliances. There are, however, some differences:

• System setup must be performed through the GUI.• Some CLI commands are not available on the Security Management appliance. For a list of whichcommands are not supported, see the IronPort AsyncOS CLI Reference Guide for Cisco Content SecurityAppliances.

For production deployments, you should use SSH to access the CLI. Use a standard SSH client to access theappliance on port 22. For lab deployments, you can also use telnet; however, this protocol is not encrypted.

Supported LanguagesWith the appropriate license key, AsyncOS can display the GUI and CLI in any of the following languages:

• English• French• Spanish• German• Italian• Korean


Setup, Installation, and Basic ConfigurationAccessing the Legacy Web Interface

• Japanese• Portuguese (Brazil)• Chinese (traditional and simplified)• Russian

To choose the GUI and default reporting language, do one of the following:

• Set the language preference. See Setting Preferences , on page 471.• Use the Options menu at the top right side of the GUI window to select the language for the session.

(The method that works depends on the method used to authenticate your login credentials.)

Accessing the Security Management Appliance API InterfaceUsing Swagger UI

Swagger UI allows you to visualize and interact with the API resources of your appliance. This is automaticallygenerated from your API specifications. For more information, see https://swagger.io/tools/swagger-ui/.

You can log in to the Swagger UI on the new web interface of your Security Management appliance in anyone of the following ways:

• Use the following URL - https://example.com:/swagger

where example.com is the appliance host name and is the trailblazer HTTPSport configured on the appliance.

You must enable the trailblazer HTTPS port on the appliance to access theSwagger UI. For more information on the trailblazerconfig CLI command,see The trailblazerconfig Command, on page 458.

Note

• Log in to the new web interface of your appliance. Click the ? button on the upper-right corner and selectAPI Help: Swagger from the drop-down. The Swagger UI opens in a new browser window.

Running the System Setup WizardAsyncOS provides a browser-based System Setup Wizard to guide you through the process of systemconfiguration. Later, you may want to take advantage of custom configuration options not available in thewizard. However, you must use the wizard for the initial setup to ensure a complete configuration.

The Security Management appliance supports this wizard via the GUI only. It does not support system setupthrough the command line interface (CLI).

• Before You Begin , on page 13• Overview of the System Setup Wizard , on page 14

Before You BeginComplete all tasks in the Preparing for Setup , on page 7.


Setup, Installation, and Basic ConfigurationAccessing the Security Management Appliance API Interface Using Swagger UI

https://swagger.io/tools/swagger-ui/

The System Setup Wizard completely reconfigures the appliance. Only use the wizard when you initiallyinstall the appliance, or if you want to completely overwrite the existing configuration.

Caution

Be sure to connect the Security Management appliance to your network through the Management port.

The Security Management appliance ships with a default IP address of 192.168.42.42 on the Managementport. Before connecting the Security Management appliance to your network, ensure that no other device’sIP address conflicts with the factory default setting.

Caution

By default, your session times out if you are idle for more than 30 minutes or if you close the browser withoutlogging out. If this happens, you must reenter your user name and passphrase. If the session times out whileyou are running the System Setup Wizard, you need to start over from the beginning. To change the timeoutlimit, see Configuring the Web UI Session Timeout, on page 394.

Note

Overview of the System Setup Wizard

Step 1 Launch the System Setup Wizard , on page 15Step 2 Review the End User License Agreement, on page 15Step 3 Configure the System Settings, on page 15

• Notification settings and AutoSupport

• System time settings

• Admin passphrase

Step 4 Configure the Network Settings, on page 15

• Hostname of the appliance

• IP address, network mask, and gateway of the appliance

• Default router and DNS settings

Step 5 Review Your Configuration, on page 16

Proceed through the wizard pages, and carefully review your configuration at Step 4. You can return to a step by clickingPrevious. At the end of the process, the wizard prompts you to commit the changes that you have made. Most changesdo not take effect until you commit them.

Step 6 Proceeding to the Next Steps, on page 16


Setup, Installation, and Basic ConfigurationOverview of the System Setup Wizard

Launch the System Setup WizardTo launch the wizard, log in to the GUI as described in the Accessing the Web Interface , on page 11. Thefirst time you log in to the GUI, the initial page of the System Setup Wizard appears by default. You can alsoaccess the System Setup Wizard from the System Administration menu (Management Appliance > SystemAdministration > System Setup Wizard).

Review the End User License AgreementBegin by reading the license agreement. After you have read and agreed to the license agreement, select thecheck box indicating that you agree, and then click Begin Setup to proceed.

Configure the System Settings

Entering an Email Address for System alertsAlerts

AsyncOS sends alert messages through email if there is a system error that requires your intervention. Enterthe email address (or addresses) where the alerts are sent.

You need to add at least one email address for the system alerts. Separate multiple addresses with commas.The email addresses that you enter initially receive all types of alerts at all levels. You can customize the alertconfiguration later. For more information, see the Managing Alerts, on page 439.

Setting the Time

Set the time zone on the Security Management appliance so that timestamps in reports, message headers andlog files are correct. Use the drop-down menus to locate your time zone or to define the time zone by GMToffset.

You can set the system clock time manually, but Cisco recommends using an Network Time Protocol (NTP)server to synchronize time with other servers on your network or the Internet. By default, the Cisco NTPserver (time.sco.cisco.com) is added as an entry to synchronize the time on your content security appliance.Enter the hostname of the NTP server, and click Add Entry to configure an additional NTP server. For moreinformation, see the Configuring the System Time, on page 450.

Setting the Passphrase

You must change the passphrase: adminpassphrase for the AsyncOS admin account. Keep the passphrase ina secure location. Changes to the passphrase take effect immediately.

If you cancel the system setup after resetting the passphrase, your passphrase changes are not undone.Note

Enabling AutoSupport

The AutoSupport feature (enabled by default) notifies Customer Support about issues with the SecurityManagement appliance so that they can provide optimal support. For more information, see the CiscoAutoSupport, on page 441.

Configure the Network SettingsDefine the hostname of the machine and then configure the gateway and DNS settings.


Setup, Installation, and Basic ConfigurationLaunch the System Setup Wizard

Verify that you have connected the SecurityManagement appliance to your network through theManagementport.

Note

Network Settings

Enter the fully qualified hostname for the Security Management appliance. This name should be assigned bythe network administrator.

Enter the IP address of the Security Management appliance.

Enter the network mask and IP address of the default deerrouter (gateway) on your network.

Next, configure the Domain Name Service (DNS) settings. AsyncOS contains a high-performance internalDNS resolver/cache that can query the Internet’s root servers directly, or the system can use DNS servers thatyou specify. If you use your own servers, you need to supply the IP address of each DNS server. You canenter up to four DNS servers when you are using the System Setup Wizard.

The DNS servers you specify have an initial priority of 0. For more information, see the Configuring DomainName System Settings, on page 446.

Note

The appliance requires access to a working DNS server to perform DNS lookups for incoming connections.If you cannot specify a working DNS server that is reachable by the appliance while you are setting up theappliance, you can select Use Internet Root DNS Servers, or else temporarily specify the IP address of theManagement interface so that you can complete the System Setup Wizard.

Note

Review Your ConfigurationNow, the System Setup Wizard displays a summary of the setup information that you have entered. If youneed to make any changes, click Previous at the bottom of the page and edit the information.

After you have reviewed the information, click Install This Configuration. Then click Install in theconfirmation dialog box that appears.

If the page appears not to respond when you click Install This Configuration, this is because the applianceis now using the the new IP address that you specified in the wizard. To continue using the appliance, use thenew IP address. If you followed the instructions in the Quick Start Guide to temporarily change the IP addressof the computer you used to access your new hardware appliance, revert your computer’s IP address to itsoriginal settings first.

Proceeding to the Next StepsAfter you install the Security Management appliance and run the System SetupWizard, you can modify othersettings on the appliance and configure the monitoring services.

Depending on the process you used to access the appliance in order to run the system setup wizard, the SystemSetup Next Steps page appears. If this page dos not appear automatically, you can access it by choosingManagement Appliance > System Administration > Next Steps.


Setup, Installation, and Basic ConfigurationNetwork Settings

Click on any of the links on the System Setup Next Steps page to proceed with the configuration of your CiscoContent Security appliances.

About Adding Managed AppliancesYou will add managed Email and Web Security appliances to the Security Management appliance when youconfigure the first centralized service for each appliance.

Supported Email and Web Security appliances are shown in the SMA Compatibility Matrix, on page 6.

When you add a remote appliance, the Security Management appliance compares the product name of theremote appliance with the type of appliance you are adding. For example, you add an appliance using the AddWeb Security appliance page, the Security Management appliance checks the product name of the remoteappliance to make sure that it is a Web Security appliance and not an Email Security appliance. The SecurityManagement appliance will also check the monitoring services on the remote appliances to make sure thatthey are correctly configured and compatible.

The Security Appliances page shows themanaged appliances that you have added. The Connection Established?column shows whether or not the connection for monitoring services is properly configured.

Instructions for adding managed appliances are included in the following procedures:

• Adding the Centralized Email Reporting Service to Each Managed Email Security Appliance , on page50

• Adding the CentralizedMessage Tracking Service to EachManaged Email Security Appliance , on page231

• Adding the Centralized Spam Quarantine Service to Each Managed Email Security Appliance , on page248

• Adding the Centralized Policy, Virus, and Outbreak Quarantine Service to EachManaged Email SecurityAppliance, on page 280

• Adding the CentralizedWeb Reporting Service to Each ManagedWeb Security Appliance , on page 153

• Adding Web Security Appliances and Associating Them with Configuration Master Versions , on page307

Editing Managed Appliance Configurations

Step 1 [New Web Interface Only] On the Security Management appliance, click to load the legacy web interface.Step 2 Choose Management Appliance > Centralized Services > Security Appliances.Step 3 In the Security Appliance section, click on the name of the appliance you want to edit.Step 4 Make the necessary changes to the appliance configuration.

For example, select or clear check boxes for monitoring services, reconfigure file transfer access, or change the IP address.


Setup, Installation, and Basic ConfigurationAbout Adding Managed Appliances

Changing the IP address of a managed appliance can cause several issues to occur. If you change the IP addressof a Web Security appliance, the publish history for the appliance will be lost, and publishing errors will occurif the Web Security appliance is currently selected for a scheduled publish job. (This does not affect scheduledpublish jobs that are set to use all assigned appliances.) If you change the IP address of an Email Securityappliance, the tracking availability data for the appliance will be lost.

Note

Step 5 Click Submit to submit your changes on the page, then click Commit Changes to commit your changes.

Removing an Appliance from the List of Managed Appliances

Before you begin

You may need to disable any enabled centralized services on the remote appliance before you can removethat appliance from the Security Management appliance. For example, if the Centralized Policy, Virus, andOutbreak Quarantine service is enabled, you must disable that service first on the Email Security appliance.See the documentation for your email or web security appliance.

Step 1 [New Web Interface Only] On the Security Management appliance, click to load the legacy web interface.Step 2 Choose Management Appliance > Centralized Services > Security Appliances.Step 3 In the Security Appliances section, and click the trash can icon in the row for the managed appliance that you want to

delete.Step 4 In the confirmation dialog box, click Delete.Step 5 Submit and commit your changes.

Co

Date post:	27-Jan-2021
Category:	Documents
Upload:	others
View:	14 times
Download:	0 times

User Guide for AsyncOS 12.5 for Cisco Content Security ...€¦ · User Guide for AsyncOS 12.5 for...

Documents