300-720 Securing Email with Cisco Email Security Appliance (300-720 SESA) Questions and Answers

To enable domain protection for the organization, the administrator must configure an outgoing mail policy that matches the sender and the from headers of the email. The sender header is the envelope sender address that is used by SMTP to route the email. The from header is the address that is displayed to the recipient as the source of the email. These headers are used to generate and verify a DomainKeys Identified Mail (DKIM) signature, which is a cryptographic method of validating the authenticity and integrity of an email message.

The other headers are not relevant for domain protection. The message-ID header is a unique identifier for each email message. The URL reputation header is a score that indicates the likelihood of a URL being malicious. The mail-from header is an alias for the sender header.

The default behavior of any listener for TLS communication is B. off. This means that TLS is not allowed for incoming connections to the listener and connections to the listener do not require encrypted Simple Mail Transfer Protocol (SMTP) conversations. This is stated in the web search result 1. To enable TLS for a listener, you need to configure the Use TLS option in the mail flow policy settings for the listener on the Mail Policies > HAT Overview page1. You can choose from three different settings for TLS: No, Preferred, or Required1.

All users with administrator privileges can change spam quarantine settings and view and manage messages in the spam quarantine. You do not need to configure spam quarantine access for administrator users.

If you configure access to the spam quarantine for users with the following roles, they can view, release, and delete messages in the spam quarantine:

-Operator

-Read-only operator

-Help desk user

-Guest

-Custom user roles that have spam quarantine privileges

These users cannot access spam quarantine settings.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100000.html?bookSearch=true#con_1624156

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01011.html

According to the User Guide for AsyncOS 12.0 for Cisco Email Security Appliances2, the order of virus scanning when multilayer antivirus scanning is configured is as follows:

• The McAfee engine scans the message first. If the McAfee engine detects a virus, the message is dropped or repaired, depending on the configuration. If the McAfee engine does not detect a virus, the message is passed to the next layer of scanning.
• The Sophos engine scans the message second. If the Sophos engine detects a virus, the message is dropped or repaired, depending on the configuration. If the Sophos engine does not detect a virus, the message is delivered to the recipient.

You can configure Policy, Virus, and Outbreak Quarantines in any one of the following ways:

Choose Quarantine > Other Quarantine > View > +.

Choose Monitor > Policy, Virus, and Outbreak Quarantines and do one of the following.

Click Add Policy Quarantine.

Keep the following in mind, changing the retention time of the File Analysis quarantine from the default of one hour is not recommended.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_011111.html?bookSearch=true

To protect against Directory Harvest Attacks, the administrator must configure Directory Harvest Attack Prevention in the mail flow policy that applies to the listener. This will enable the Cisco Secure Email Gateway to reject or throttle messages that are sent to invalid recipients by checking the LDAP server for valid email addresses. References: [Cisco Secure Email Gateway Administrator Guide - Configuring Directory Harvest Attack Prevention]

Overview of Encrypting Communication with Other MTAs:

AsyncOS supports the STARTTLS extension to SMTP (Secure SMTP over TLS).

The TLS implementation in AsyncOS provides privacy through encryption.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_011001.html?bookSearch=true

To encrypt SMTP with TLS on a Cisco Secure Email Gateway appliance when the sender requires TLS verification, the components that are required are an X.509 certificate and matching private key from a CA. The certificate must be signed by a trusted CA and contain the domain name or IP address of the listener in the Subject or Subject Alternative Name fields. The private key must be unencrypted and match the certificate. References: [Cisco Secure Email Gateway Administrator Guide - Configuring TLS]

Spam threshold is a setting that determines the minimum score that a message must have to be classified as spam by Cisco ESA. The lower the threshold, the more aggressive the spam detection is.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-5.

According to the [Cisco Secure Email Encryption Service Add-In User Guide], you can create an encryption profile that defines the encryption settings and options for your encrypted messages[2, p. 11]. You can also create an outgoing content filter that applies the encryption profile to the messages that match certain conditions, such as having [SECURE] in the subject header[2, p. 12]. This way, you can allow users to flag the messages that require encryption by adding [SECURE] to the subject line.

The other options are not valid because:

• A. Creating an encryption profile with [SECURE] in the Subject setting and enabling encryption on the mail flow policy will not work, as the Subject setting in the encryption profile is used to specify the subject line of the encrypted message envelope, not the original message[2, p. 11].
• B. Creating an outgoing content filter with no conditions and with the Encrypt and Deliver Now action configured with [SECURE] in the Subject setting will not work, as this will encrypt all outgoing messages regardless of whether they have [SECURE] in the subject line or not[2, p. 12].
• D. Creating a DLP policy manager message action with encryption enabled and applying it to active DLP policies for outgoing mail will not work, as this will encrypt messages based on DLP rules that detect sensitive data in the message content, not based on user flags in the subject line.

To enable domain protection for the organization, the administrator must configure an outgoing mail policy that matches the sender and the from headers of the email. The sender header is the envelope sender address that is used by SMTP to route the email. The from header is the address that is displayed to the recipient as the source of the email. These headers are used to generate and verify a DomainKeys Identified Mail (DKIM) signature, which is a cryptographic method of validating the authenticity and integrity of an email message.

The other headers are not relevant for domain protection. The message-ID header is a unique identifier for each email message. The URL reputation header is a score that indicates the likelihood of a URL being malicious. The mail-from header is an alias for the sender header.

A DMARC verification profile is a list of parameters that the mail flow policies of the appliance use for verifying DMARC. The name of the verification profile identifies the profile and allows you to apply it to different mail flow policies. The message action to take when the policy is reject/quarantine determines how the appliance handles messages that fail DMARC verification based on the sender’s DMARC policy.

References: User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment), Chapter: Email Authentication, Section: Configuring DMARC Verification

Bounce Verification is a feature that mitigates denial of service attacks on Cisco ESA. A denial of service attack is an attempt to overwhelm a system or network with excessive traffic or requests, rendering it unavailable or slow for legitimate users. Bounce Verification prevents Cisco ESA from accepting bounce messages that are not generated by itself or by trusted hosts, reducing the load on the system and preventing backscatter spam.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 5-8.

Outbreak filters and antivirus are two features that can be applied to either incoming or outgoing mail policies on Cisco ESA. Outbreak filters allow Cisco ESA to detect and block messages that contain new or emerging email threats, such as viruses, worms, phishing, or spam, by using real-time updates from Talos intelligence. Antivirus allows Cisco ESA to scan messages for known viruses and malware using one or two antivirus engines (Sophos and McAfee).

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-16 and page 7-2.

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

• Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.
• Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-4.

The type of attack that is prevented by configuring file reputation filtering and file analysis features is zero-day. Zero-day attacks are those that exploit unknown vulnerabilities in software or systems before they are patched or fixed. File reputation filtering and file analysis features help to protect against zero-day attacks by checking the reputation of files attached to email messages and sending them to a cloud-based service for dynamic analysis.

References: Securing Email with Cisco Email Security Appliance (SESA) v3.1, Module 9: Using Advanced Malware Protection, Lesson 1: Configuring File Reputation Filtering and File Analysis

Outbreak Filters can take the action of rewriting URLs to redirect traffic to potentially harmful websites through a web security proxy. This allows the Cisco Secure Email Gateway to scan the content of the websites and block or warn the user if they are malicious or undesirable. This action can stop small-scale and nonviral attacks, such as phishing scams and malware distribution sites, that may not be detected by other filters. References: [Cisco Secure Email Gateway Administrator Guide - Configuring Outbreak Filters]

By modifying the mail policies, specifically the recipient matching criteria, you can ensure that email recipients do not match multiple policies simultaneously. When recipients in the email message belong to different domains (e.g., cisco.com and test.com), it can result in multiple policies being triggered simultaneously, leading to inconsistent delivery of emails with attachments.

DLP is for outgoing mail only and not relevant to incoming mail.

To ensure that executive messages are originating from legitimate sending addresses, the administrator must take two steps:

• Create an incoming content filter with the Forged Email Detection condition. This will allow the administrator to detect and block messages that have a forged “From: header” that matches or is similar to any of the names in a content dictionary.
• Create a content dictionary including a list of the names that are being spoofed. This will allow the administrator to specify the names of the executives that are being targeted by spoofing attacks and use them in the Forged Email Detection condition. The other options are not relevant or sufficient for this task. References: [Cisco Secure Email Gateway Administrator Guide - Forged Email Detection] and [Cisco Secure Email Gateway Administrator Guide - Creating Content Dictionaries]

Determining Which Interface is Used for Mail Delivery Unless you specify the output interface via the deliveryconfig command or via a message filter ( alt-src-host ), or through the use of a virtual gateway, the output interface is selected by the AsyncOS routing table. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_011001.html?bookSearch=true

Relay is the connection behavior that must be selected to properly process the messages. Relay allows Cisco ESA to accept messages from the specified source and deliver them to the intended destination, without applying any content or reputation filters.

To configure a mail flow policy with relay connection behavior on Cisco ESA, the administrator can follow these steps:

• Select Mail Policies > Mail Flow Policies and click Add Policy.
• Enter a name and description for the mail flow policy, such as Exchange Outbound.
• Under Connection Behavior, select Relay.
• Click Submit.

The other options are not valid connection behaviors to properly process the messages, because they either reject, delay, or accept the messages with content or reputation filters applied.

References: [User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway], page 6-2 and page 6-3.

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

• Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.
• Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-4.

If the assigned certificate under one of the IP interfaces is modified, then the HTTPS traffic when connecting to the web user interface of the Cisco Secure Email Gateway will be impacted. The administrator must ensure that the certificate is valid and trusted by the browser or client that is used to access the web user interface. Otherwise, the connection may fail or generate a warning message. References: [Cisco Secure Email Gateway Administrator Guide - Configuring Certificates]

• System: This is the default list of trusted certificate authorities that is provided by Cisco and updated automatically. It contains the certificates of well-known and widely used certificate authorities, such as VeriSign, Thawte, and GoDaddy.
• Custom: This is the list of additional certificate authorities that you can add manually or import from a file. It allows you to trust certificates that are issued by your own or third-party certificate authorities that are not included in the system list.

A content filter action is an operation that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as headers, envelope, body, attachments, etc.

Quarantine is a valid content filter action that allows Cisco ESA to store the message in a quarantine area for further review or release by an administrator or an end user.

The other options are not valid content filter actions on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-7.

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

• Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.
• Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-4.

Enabling Logging of URLs and Message Tracking Details for URLs

Logging of URL-related logs, and display of this information in Message Tracking details, is disabled by default. This includes the logs for the following events:

Category of any URL in the message matches the URL category filters

Reputation score of any URL in the message matches URL reputation filters

Outbreak Filter rewrites any URL in the message

To enable logging of these events, use the outbreakconfig command in the command-line interface (CLI).

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01110.html?bookSearch=true

The altsrchost command enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way. This command allows you to specify an alternate source host for messages that match a message filter. You can use this command to route messages to different virtual gateways based on the message content or attributes.

References: Securing Email with Cisco Email Security Appliance (SESA) v3.1, Module 5: Using Message Filters to Enforce Email Policies, Lesson 1: Using Message Filters

Web reputation score is a feature that allows Cisco ESA to evaluate the reputation of URLs in messages based on real-time data from Talos intelligence and apply appropriate actions, such as block, quarantine, or deliver.

To ensure that Cisco ESA evaluates the web reputation score before permitting this email, the administrator should use two criteria to create a content filter or message filter that matches this email and applies an action of “check web reputation”:

• Sender matches test1.com, which means that the sender’s domain name is test1.com.
• Email body contains a URL, which means that the message body has one or more URLs in it.

The other options are not valid criteria to ensure that Cisco ESA evaluates the web reputation score before permitting this email, because they do not match this email or they are not relevant to web reputation score.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-7.

A filter is a method that enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way. A filter is a rule that allows Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

To deliver a flagged message to a specific virtual gateway address using a filter, the engineer can create a content filter or message filter that matches the flag condition and applies an action of “deliver via alternate host” with the virtual gateway address as the parameter.

The other options are not methods that enable an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way, because they have more limitations or requirements than using a filter.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 8-3 and page 8-7.

Geolocation-based filtering and senderbase reputation filtering are two features of Cisco Email Security that can be added to a Sender Group to protect an organization against email threats. Geolocation-based filtering allows Cisco ESA to accept or reject connections from email servers based on their geographic location, such as country or continent. Senderbase reputation filtering allows Cisco ESA to reject or throttle connections from email servers based on their reputation score, which is calculated by Talos using sensor information from various sources.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 5-4 and page 6-2.

spf-status is the section of the filter that must be modified to correct this behavior. spf-status is a condition that determines whether a message matches the content filter rule based on the result of SPF verification, such as pass, fail, neutral, etc.

The content filter in the exhibit has a spf-status condition set to “Pass”, which means that it will match messages that passed SPF verification and apply the action of “Quarantine”. This is the opposite of what the network engineer intended to do.

To correct this behavior, the network engineer can modify the spf-status condition to “Fail”, which means that it will match messages that failed SPF verification and apply the action of “Quarantine”.

The other options are not valid sections of the filter that must be modified to correct this behavior, because they do not affect the spf-status condition.

References: [User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway], page 8-3 and page 8-4.

To encrypt SMTP with TLS on a Cisco Secure Email Gateway appliance when the sender requires TLS verification, the components that are required are an X.509 certificate and matching private key from a CA. The certificate must be signed by a trusted CA and contain the domain name or IP address of the listener in the Subject or Subject Alternative Name fields. The private key must be unencrypted and match the certificate. References: [Cisco Secure Email Gateway Administrator Guide - Configuring TLS]

Non-final actions are actions that do not terminate the message filter evaluation, such as adding headers, setting variables, logging, etc. Final actions are actions that end the message filter evaluation and determine the fate of the message, such as accept, drop, bounce, quarantine, etc.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 3-4.

Spam threshold is a setting that determines the minimum score that a message must have to be classified as spam by Cisco ESA. The lower the threshold, the more aggressive the spam detection is.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 6-5.

External spam quarantine is a feature that allows Cisco SMA to store and manage spam messages quarantined by multiple Cisco ESAs in one central location, providing a unified view and administration of the spam quarantine data.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 10-3.

When CRES (Cisco Registered Envelope Service) is unavailable, Cisco ESA will requeue the message and attempt to resend it later, until the maximum number of retries or the maximum age of the message is reached. The message will not be sent in clear text, dropped, or encrypted by another appliance.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 12-8.

The PVO cannot be enabled and shows this type of error message.

Unable to proceed with Centralized Policy, Virus and Outbreak Quarantines

configuration as host1 and host2 in Cluster have content filters / DLP actions

available at a level different from the cluster Level.

The error message can indicate that one of the hosts does not have a DLP feature key applied and DLP is disabled. The solution is to add the missing feature key and apply DLP settings identical as on the host that has the feature key applied. This feature key inconsistency might have the same effect with Outbreak Filters, Sophos Antivirus, and other feature keys.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118026-technote-esa-00.html

A content dictionary is a list of words or phrases that can be used to match against message content in Cisco ESA. For Forged Email Detection, a content dictionary can be used to specify the display names of internal senders that should not appear in the From header of external messages. The display name is usually the name of the sender as it appears in the email client, such as Alpha Beta. Therefore, the entry that will be added into the dictionary for this purpose is Alpha Beta.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 9-8.

• Define an LDAP group query to specify users to whom the mail policy rules apply. This way, you can create a custom group of executive users and apply different mail policies to them based on their LDAP attributes[4, p. 2].
• Create content filters for actions to take on messages that contain specific data. Content filters allow you to scan the message body and attachments for keywords, phrases, or patterns that match your criteria and perform actions such as quarantine, encrypt, or drop the message[4, p. 7].

The other options are not valid because:

• C. Uploading a csv file containing the email addresses for the users for whom you want to create mail policies is not a supported feature of Cisco Secure Email1.
• D. Enabling the content-scanning features you want to use with mail policies is not necessary, as content scanning is enabled by default for all incoming and outgoing messages[4, p. 6].
• E. Defining the default mail policies for incoming or outgoing messages is not sufficient, as default mail policies apply to all users and do not allow for differentiation based on user groups[4, p. 2].