AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide Published: October 26, 2015 Revised: June 1, 2016 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Text Part Number: N/A THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED ORIMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Ciscoand the Ciscologo are trademarks or registered trademarks of Ciscoand/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Ciscoand any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2008-2016 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Introduction 1-1 What’s New in This Release 1-1 Cisco Content Security Management Overview 1-2 CHAPTER 2 Setup, Installation, and Basic Configuration 2-1 Solution Deployment Overview 2-1 SMA Compatibility Matrix 2-2 Installation Planning 2-2 Network Planning 2-2 About Integrating a Security Management Appliance with Email Security Appliances 2-3 Deployments with Clustered Email Security Appliances 2-3 Preparing for Setup 2-4 Physically Setting Up and Connecting the Appliance 2-4 Determining Network and IP Address Assignments 2-4 Gathering the Setup Information 2-5 Accessing the Security Management Appliance 2-6 Browser Requirements 2-6 About Accessing the Web Interfaces 2-6 Accessing the Web Interface 2-7 Accessing the Command Line Interface 2-7 Supported Languages 2-7 Running the System Setup Wizard 2-8 Before You Begin 2-8 Overview of the System Setup Wizard 2-8 Launch the System Setup Wizard 2-9 Review the End User License Agreement 2-9 Configure the System Settings 2-9 Configure the Network Settings 2-10 Review Your Configuration 2-11 Proceeding to the Next Steps 2-11 About Adding Managed Appliances 2-11 Editing Managed Appliance Configurations 2-12 Removing an Appliance from the List of Managed Appliances 2-12 Configuring Services on the Security Management Appliance 2-13 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide iii Contents Committing and Abandoning Configuration Changes 2-13 CHAPTER 3 Working With Reports 3-1 Ways to View Reporting Data 3-1 How the Security Appliance Gathers Data for Reports 3-2 How Reporting Data is Stored 3-2 About Reporting and Upgrades 3-3 Customizing Your View of Report Data 3-3 Viewing Reporting Data for an Appliance or Reporting Group 3-4 Choosing a Time Range for Reports 3-4 (Web Reports Only) Choosing Which Data to Chart 3-5 Customizing Tables on Report Pages 3-6 Custom Reports 3-6 Modules That Cannot Be Added to Custom Reports 3-7 Creating Your Custom Report Page 3-7 Viewing Details of Messages or Transactions Included in Reports 3-8 Improving Performance of Email Reports 3-9 Printing and Exporting Reporting and Tracking Data 3-10 Exporting Report Data as a Comma-Separated Values (CSV) File 3-11 Subdomains vs. Second-Level Domains in Reporting and Tracking 3-12 Troubleshooting All Reports 3-12 Unable to View Report Data on Backup Security Management Appliance 3-13 Reporting Is Disabled 3-13 Email and Web Reports 3-13 CHAPTER 4 Using Centralized Email Security Reporting 4-1 Centralized Email Reporting Overview 4-1 Setting Up Centralized Email Reporting 4-2 Enabling Centralized Email Reporting on the Security Management Appliance 4-2 Adding the Centralized Email Reporting Service to Each Managed Email Security Appliance 4-3 Creating Email Reporting Groups 4-4 Enabling Centralized Email Reporting on Email Security Appliances 4-4 Working with Email Report Data 4-4 Searching and the Interactive Email Report Pages 4-5 Understanding the Email Reporting Pages 4-6 Table Column Descriptions for Email Reporting Pages 4-9 Email Reporting Overview Page 4-11 How Incoming Mail Messages are Counted 4-12 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide iv Contents How Email Messages Are Categorized by the Appliances 4-12 Categorizing Email Messages on the Overview Page 4-13 Incoming Mail Page 4-15 Views Within the Incoming Mail Page 4-16 Incoming Mail Details Table 4-17 Sender Profile Pages 4-18 Sender Groups Report Page 4-19 Outgoing Destinations Page 4-19 Outgoing Senders Page 4-20 Internal Users Page 4-21 Internal User Details Page 4-22 Searching for a Specific Internal User 4-23 DLP Incidents 4-23 DLP Incidents Details Table 4-24 DLP Policy Detail Page 4-24 Message Filters 4-24 High Volume Mail 4-25 Content Filters Page 4-25 Content Filter Details Page 4-25 DMARC Verification 4-26 Virus Types Page 4-26 URL Filtering Page 4-27 Web Interaction Tracking Page 4-27 Advanced Malware Protection (File Reputation and File Analysis) Reporting Pages 4-28 Requirements for File Analysis Report Details 4-28 Identifying Files by SHA-256 Hash 4-30 File Reputation and File Analysis Report Pages 4-30 Viewing File Reputation Filtering Data in Other Reports 4-31 For Which Files Are Detailed File Analysis Results Visible in the Cloud? 4-31 TLS Connections Page 4-32 Inbound SMTP Authentication Page 4-33 Rate Limits Page 4-34 Outbreak Filters Page 4-35 Reporting of Graymail 4-36 Reporting of Marketing Messages after Upgrade to AsyncOS 9.5 4-37 System Capacity Page 4-37 How to Interpret the Data You See on System Capacity Page 4-38 System Capacity – Workqueue 4-38 System Capacity – Incoming Mail 4-39 System Capacity – Outgoing Mail 4-39 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide v Contents System Capacity – System Load 4-39 System Capacity – All 4-40 Threshold Indicator in System Capacity Graphs 4-40 Reporting Data Availability Page 4-40 About Scheduled and On-Demand Email Reports 4-41 Additional Report Types 4-42 Domain-Based Executive Summary Report 4-42 Executive Summary Report 4-45 Scheduling Email Reports 4-45 Adding Scheduled Reports 4-45 Editing Scheduled Reports 4-46 Discontinuing Scheduled Reports 4-46 Generating Email Reports On Demand 4-47 Viewing and Managing Archived Email Reports 4-48 Accessing Archived Reports 4-48 Deleting Archived Reports 4-49 Troubleshooting Email Reports 4-49 Outbreak Filters Reports Do Not Show Information Correctly 4-49 Message Tracking Results Do Not Match Report Results After Clicking a Link in a Report 4-50 Advanced Malware Protection Verdict Updates Report Results Differ 4-50 Issues Viewing File Analysis Report Details 4-50 File Analysis Report Details Are Not Available 4-50 Error When Viewing File Analysis Report Details 4-50 Error When Viewing File Analysis Report Details with Private Cloud Cisco AMP Threat Grid Appliance 4-51 Logging of File Analysis-Related Errors 4-51 Total Graymail or Marketing Messages Appears To Be Incorrect 4-51 CHAPTER 5 Using Centralized Web Reporting and Tracking 5-1 Centralized Web Reporting and Tracking Overview 5-1 Setting Up Centralized Web Reporting and Tracking 5-2 Enabling Centralized Web Reporting on the Security Management Appliance 5-3 Enabling Centralized Web Reporting on Web Security Appliances 5-3 Adding the Centralized Web Reporting Service to Each Managed Web Security Appliance 5-3 Anonymizing User Names in Web Reports 5-4 Working with Web Security Reports 5-5 Web Reporting Page Descriptions 5-5 About Time Spent 5-8 Web Reporting Overview 5-8 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide vi Contents Users Report (Web) 5-10 User Details (Web Reporting) 5-11 Web Sites Report 5-13 URL Categories Report 5-14 Reducing Uncategorized URLs 5-15 URL Category Set Updates and Reports 5-15 Using The URL Categories Page in Conjunction with Other Reporting Pages 5-16 Reporting Misclassified and Uncategorized URLs 5-16 Application Visibility Report 5-16 Understanding the Difference between Application versus Application Types 5-17 Anti-Malware Report 5-18 Malware Category Report 5-19 Malware Threat Report 5-20 Malware Category Descriptions 5-20 Advanced Malware Protection (File Reputation and File Analysis) Reports 5-21 Requirements for File Analysis Report Details 5-22 Identifying Files by SHA-256 Hash 5-23 Advanced Malware Protection (File Reputation and File Analysis) Report Pages 5-24 Viewing File Reputation Filtering Data in Other Reports 5-25 For Which Files Are Detailed File Analysis Results Visible in the Cloud? 5-25 Client Malware Risk Report 5-26 Web Reputation Filters Report 5-27 What are Web Reputation Filters? 5-27 Adjusting Web Reputation Settings 5-29 L4 Traffic Monitor Report 5-29 SOCKS Proxy Report 5-31 Reports by User Location 5-31 System Capacity Page 5-32 Viewing the System Capacity Report 5-32 How to Interpret the Data You See on the System Capacity Page 5-33 System Capacity - System Load 5-33 System Capacity - Network Load 5-33 Note About Proxy Buffer Memory Swapping 5-34 Data Availability Page 5-34 About Scheduled and On-Demand Web Reports 5-34 Scheduling Web Reports 5-35 Storage of Scheduled Web Reports 5-36 Adding Scheduled Web Reports 5-36 Editing Scheduled Web Reports 5-37 Deleting Scheduled Web Reports 5-37 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide vii Contents Additional Extended Web Reports 5-37 Top URL Categories—Extended 5-37 Top Application Types—Extended 5-38 Generating Web Reports on Demand 5-39 Viewing and Managing Archived Web Reports 5-40 Web Tracking 5-40 Searching for Transactions Processed by Web Proxy Services 5-40 Searching for Transactions Processed by the L4 Traffic Monitor 5-44 Searching for Transactions Processed by the SOCKS Proxy 5-45 Working with Web Tracking Search Results 5-45 Displaying More Web Tracking Search Results 5-45 Understanding Web Tracking Search Results 5-45 Viewing Transaction Details for Web Tracking Search Results 5-46 About Web Tracking and Advanced Malware Protection Features 5-46 About Web Tracking and Upgrades 5-47 Troubleshooting Web Reporting and Tracking 5-47 Centralized Reporting Is Enabled Properly But Not Working 5-47 Advanced Malware Protection Verdict Updates Report Results Differ 5-48 Issues Viewing File Analysis Report Details 5-48 File Analysis Report Details Are Not Available 5-48 Error When Viewing File Analysis Report Details 5-48 Error When Viewing File Analysis Report Details with Private Cloud Cisco AMP Threat Grid Appliance 5-48 Expected Data Is Missing from Reporting or Tracking Results 5-48 PDF Shows Only a Subset of Web Tracking Data 5-49 Troubleshooting L4 Traffic Monitor Reports 5-49 Exported .CSV file is Different From Web Interface Data 5-49 CHAPTER 6 Tracking Email Messages 6-1 Tracking Service Overview 6-1 Setting Up Centralized Message Tracking 6-2 Enabling Centralized Email Tracking on a Security Management Appliance 6-2 Configuring Centralized Message Tracking on Email Security Appliances 6-2 Adding the Centralized Message Tracking Service to Each Managed Email Security Appliance 6-3 Managing Access to Sensitive Information 6-4 Checking Message Tracking Data Availability 6-4 Searching for Email Messages 6-4 Narrowing the Result Set 6-7 About Message Tracking and Advanced Malware Protection Features 6-7 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide viii Contents Understanding Tracking Query Results 6-8 Message Details 6-8 Envelope and Header Summary 6-9 Sending Host Summary 6-9 Processing Details 6-9 DLP Matched Content Tab 6-9 Troubleshooting Message Tracking 6-10 Expected Messages Are Missing from Search Results 6-10 Attachments Do Not Appear in Search Results 6-10 CHAPTER 7 Spam Quarantine 7-1 Overview of the Spam Quarantine 7-1 Local Versus External Spam Quarantine 7-1 Setting Up the Centralized Spam Quarantine 7-2 Enabling and Configuring the Spam Quarantine 7-2 Adding the Centralized Spam Quarantine Service to Each Managed Email Security Appliance 7-4 Configuring an Outbound IP Interface on the Security Management Appliance 7-5 Configuring the IP Interface for Browser Access to the Spam Quarantine 7-6 Configuring Administrative User Access to the Spam Quarantine 7-6 Limiting Which Recipients Have Mail Quarantined 7-7 Ensuring That Message Text Displays Correctly 7-7 Spam Quarantine Language 7-7 Using Safelists and Blocklists to Control Email Delivery Based on Sender 7-8 Message Processing of Safelists and Blocklists 7-8 Enabling Safelists and Blocklists 7-9 External Spam Quarantine and Safelist/Blocklists 7-9 Adding Senders and Domains to Safelists and Blocklists (Administrators) 7-10 Syntax for Safelists and Blocklist Entries 7-11 Clearing All Safelists and Blocklists 7-12 About End-User Access to Safelists and Blocklists 7-12 Adding Entries to Safelists (End Users) 7-12 Adding Senders to Blocklists (End Users) 7-13 Backing Up and Restoring the Safelist/Blocklist 7-13 Troubleshooting Safelists and Blocklists 7-14 Message from Safelisted Sender Was Not Delivered 7-14 Configuring Spam Management Features for End Users 7-15 Authentication Options for End Users Accessing Spam Management Features 7-15 LDAP Authentication Process 7-16 IMAP/POP Authentication Process 7-17 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide ix Contents Setting Up End-User Access to the Spam Quarantine via Web Browser 7-17 Configuring End-User Access to the Spam Quarantine 7-18 Determining the URL for End-User Access to the Spam Quarantine 7-19 Which Messages an End User Sees 7-19 Notifying End Users About Quarantined Messages 7-19 Recipient Email Mailing List Aliases and Spam Notifications 7-21 Testing Notifications 7-21 Troubleshooting Spam Notifications 7-22 Managing Messages in the Spam Quarantine 7-22 Accessing the Spam Quarantine (Administrative Users) 7-22 Searching for Messages in the Spam Quarantine 7-23 Searching Very Large Message Collections 7-23 Viewing Messages in the Spam Quarantine 7-23 Delivering Messages in the Spam Quarantine 7-24 Deleting Messages from the Spam Quarantine 7-24 Disk Space for the Spam Quarantine 7-24 About Disabling the External Spam Quarantine 7-24 Troubleshooting Spam Quarantine Features 7-25 CHAPTER 8 Centralized Policy, Virus, and Outbreak Quarantines 8-1 Overview of Centralized Quarantines 8-1 Quarantine Types 8-2 Centralizing Policy, Virus, and Outbreak Quarantines 8-3 Enabling Centralized Policy, Virus, and Outbreak Quarantines on the Security Management Appliance 8-4 Adding the Centralized Policy, Virus, and Outbreak Quarantine Service to Each Managed Email Security Appliance 8-5 Configuring Migration of Policy, Virus, and Outbreak Quarantines 8-6 Designating an Alternate Appliance to Process Released Messages 8-7 Configuring Centralized Quarantine Access for Custom User Roles 8-8 Disabling Centralized Policy, Virus, and Outbreak Quarantines 8-8 Releasing Messages When an Email Security Appliance Is Unavailable 8-8 Managing Policy, Virus, and Outbreak Quarantines 8-8 Disk Space Allocation for Policy, Virus, and Outbreak Quarantines 8-9 Retention Time for Messages in Quarantines 8-9 Default Actions for Automatically Processed Quarantined Messages 8-11 Checking the Settings of System-Created Quarantines 8-11 Configuring Policy, Virus, and Outbreak Quarantines 8-11 About Editing Policy, Virus, and Outbreak Quarantine Settings 8-13 AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide x