Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Firmware-update: Cisco ESA AsyncOS 11.0 HP1

Door , 4 reacties, bron: Cisco

12-09-2017 • 08:59

4 Linkedin Google+

Bron: Cisco

Cisco heeft een firmware-update uitgebracht voor zijn Email Security Appliance's, die afgekort worden tot ESA. De techniek stamt af van IronPort Systems die in 2007 door Cisco werden opgekocht, hoewel dat al dus een decennium geleden is, hoor je ook nog steeds de naam IronPort terugkomen voor deze appliances. Voor de ondersteunde upgrade paths is het raadzaam om de documentatie door te nemen of om contact op the nemen met Cisco's TAC. Deze firmware heet 11.0 Hot Patch 1 en kent 11.0.0-267 als exact versienummer. De lijst met vernieuwingen voor 11.0 ziet er als volgt uit:

What’s New In This Release
  • FIPS Certification - Cisco Email Security Appliance will be FIPS certified and has integrated the following FIPS 140-2 approved cryptographic module: Cisco Common Crypto Module (FIPS 140-2 Cert. #1643). See the “FIPS Management” chapter in the user guide or online help.
  • New Data Loss Prevention (DLP) solution - RSA has announced End of Life (EOL) for RSA Data Loss Prevention Suite. For more information, see https://community.rsa.com/docs/DOC-59316. Cisco now provides an alternative DLP solution that allows seamless migration of all the existing DLP policies created in RSA DLP to the new DLP engine. After the upgrade, you can view or modify the migrated DLP policies in Mail Policies > DLP Policy Manager page in the web interface. For more information, see the “Data Loss Prevention” chapter in the user guide. Note There is no support for RSA Enterprise Manager Integration in Async0S 11.0 and later. If you have DLP policies created in RSA Enterprise Manager, you must recreate those policies in your appliance after the upgrade.
  • Support for Two-Factor Authentication - Cisco Email Security appliance now supports two-factor authentication that ensures secure access when you log into your appliance. You can configure two-factor authentication for your appliance through any standard RADIUS server that complies with standard RFC. You can enable two-factor authentication in one of the following ways:
    • System Administration > Users page in the web interface. See the “Distributing Administrative Tasks” chapter in the user guide.
    • userconfig > twofactorauth command in the CLI. See the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances.
    If you have enabled two-factor authentication on your appliance, you can join it to a cluster machine using pre-shared keys. Use the clusterconfig > prepjoin command in the CLI to configure this setting. See the “Centralized Management Using Clusters” chapter in the user guide
  • Handling incoming mail connections and incoming or outgoing messages from different geographic locations - Cisco Email Security appliance can now handle incoming mail connections and incoming or outgoing messages from specific geolocations and perform appropriate actions on them, for example:
    • Prevent email threats coming from specific geographic regions.
    • Allow or disallow emails coming from specific geographic regions.
    You can use this feature in the following ways:
    • SMTP Connection Level. You can now configure sender groups to handle incoming mail connections from specific geolocations using one of the following ways:
      • Mail Policies > HAT Overview > Add Sender Group > Submit and Add Senders > Geolocation option in the web interface.
      • listenerconfig > hostaccess > country command in the CLI.
      For more information, see the “Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT)” chapter in the user guide or the CLI Reference Guide for AsyncOS for Cisco Email Security Appliances. You can use the Geo Distribution report to view the details of incoming mail connections from specific geolocations based on the sender’s country of origin. For more information, see the “Using Email Security Monitor” chapter in the user guide.
    • Content or Message Filter Level: You can now create a content or a message filter to handle incoming or outgoing messages from specific geolocations and perform appropriate actions on such messages. Content and message filters include the following new options:
      • A new content filter condition - Geolocation
      • A new message filter rule - geolocation-rule().
      For more information, see the “Content Filters” or “Using Message Filters to enforce Email Policies” chapter in the user guide. You can use the Content Filters and Message Filters reports to view the details of incoming or outgoing messages from specific geolocations that are detected by the content or message filter. For more information, see the “Using Email Security Monitor” chapter in the user guide. You can use Message Tracking to search for incoming messages from specific geolocations detected by the content or message filter. Use the Geolocation filter for the Message Event option in the Advanced section of Message Tracking. The geolocation list of countries is cloud updateable.
  • Scanning Outgoing Messages using the AMP engine - You can now configure the appliance to scan outgoing messages using the AMP enging. You can use this feature to:
    • Prevent users from sending malicious messages from the organization's network, which can lead to low IP or domain reputation.
    • Track users who are sending outbound messages with malicious attachments and perform appropriate actions on them.
    You can configure the outgoing mail policy of your appliance to allow scanning of messages by the AMP engine is one of the following ways:
    • Mail Policies > Outgoing Mail Policies page in the web interface. See the "File Reputation Filtering and File Analysis" chapter in the user guide.
    • policyconfig command in the CLI
    The following reports have been enhanced to show details of outgoing messages scanned by the AMP engine:
    • AMP File Analysis
    • AMP Verdict Updates
    • Overview Page
    • Outgoing Destionations
    • Outgoing Senders
    • Internal Users
    See the "Using Email Security Monitor" chapter in the user guide. You can use the Mail Flow Direction filter in the Message Tracking > Message Event > Advanced Malware Protection option to search for incoming and outgoinh messages that are scanned by the AMP engine.
  • Manually Rollback to a Previous version of the Service Engine - You can now manually roll back to a previous version of the current engine when:
    • The engine update is defective.
    • The engine is not functioning properly
    Currently, you can perform an engine rollback for the following engines:
    • McAfee
    • Sophos
    • Graymail
    You can perform an engine rollback only at the machine level and not at the cluster level. You can use the Security Services > Services Overview page in the web interface to perform:
    • Rollback to a previous version of the service engine.
    • Manually update the service engines to the required version.
    For more information, see the "System Administration" chapter in the user guide.
  • Enable or Disable Automatic Updates - You can now enable or disable automatic updates in the Global Settings page for the following service engines:
    • McAfee
    • Sophos
    • Graymail
    You can now receive periodic alerts when automatic updates are disabled for a specific service engine. You can change the exsisting alert interval in one of the following ways:
    • Security Services > Service Updates > Alert Interval for Disabled Automatic Engine Updates option in the web interface. See the "System Administration" chapter in the user guide
    • updateconfig command in the CLI.
  • Performing additional actions on attachments detected by Advanced Malware Protection in Mail Policy - You can perform the following additional actions, if an attachment is considered 'malicious', 'unscannable', or 'sent for file analysis' in the Advanced Malware Protection sction for Incoming or Outgoing Mail Policies:
    • Modifying the message recipient
    • Sending the message to an alternate destination host.
    For more information, see the "File Reputation Filtering and File Analysis" chapter in the user guide.
  • Improved AMP Engine Logs - Information about the following scenarios are now logged in the AMP engine logs:
    • File that is not uploaded to the File Analysis server.
    • File that is skipped for file analysis because the appliance exceeded the daily file upload limit to the File Analysis server.
    • File that is marked as unscannable.
  • Support Archive File Formats for Content Scanning - The Content Scanner in your appliance can perform content scanning on the following archive file formats:
    • ACE Archive
    • ALZ Archive
    • Apple Disk Image
    • ARJ Archive
    • bzip2 Archive
    • EGG Archive
    • GNU Zip
    • ISO Disk Image
    • Java Archive
    • LZH
    • Microsoft Cabinet Archive
    • RAR Multi-Part File
    • RedHat Package Manager Archive
    • Roshal Archive (RAR)
    • Unix AR Archive
    • UNIX Compress Archive
    • UNIX cpio
    • UNIX Tar
    • XZ Archive
    • Zip Archive
    • 7-Zip
  • Macro Detection Enhancement - You can now detect macros in the following files:
    • Javascript macros in Adobe Acrobat Portable Document Format (PDF) files.
    • Visual Basic for Applications (VBA) macros in Microsoft Office Files (Open XML) and OLE files.
    For more information, see the "Content Filters" or "Using message Filters to Enforce Email Policies" chapter in the user guide.
  • CRL Check for web interface login - You can configure CRL check for web interface login using one of the following ways:
    • Network > CRL Sources > Edit Settings > CRL check for WebUI option in the web interface. See the "Authenticating SMTP Sessions Using Client Certificates" chapter in the user guide.
    • certconfig > crl command int he CLI
    If you enable this option and the certificate is revoked:
    • You will receive an alert indicating that the certificate is revoked.
    • You will not be able to access the web interface of your appliance. However you can still log in to your appliance using the CLI.
    You must import and configure a valid certificate through the CLI to be able to access the web interface of your appliance. See CLI Reference Guide for AsyncOS for Cisco Email Security Appliances.
  • Configure Cache Expiry Period for File Reputation disposition values - You can configure the cache expiry period for File Reputation disposition values in one of the following ways:
    • Security Services > File Reputation and Analysis > Cache Settings page in the web interface.
    • ampconfig > cachesettings > modifytimeout command in the CLI.
  • New datacenter added in European region for File Reputation and File Analysis services - Cisco has added a new datacenter in the European region for the File Reputation and File Analysis services:
    • EUROPE (cloude-sa.eu.amp.cisco.com) for File Reputation server
    • EUROPE (https://panacea.threatgrid.eu) for File Analysis server
    You can configure your Email Security appliance to use the new File Reputation and File Analysis services. For more information, see the "File Reputation Filtering and File Analysis" chapter in the user guide.
Versienummer 11.0 HP1
Releasestatus Final
Website Cisco
Download https://software.cisco.com/
Licentietype Betaald

Reacties (4)

Wijzig sortering
Versie staat er hier in de virtuele variant als volgt: 11.0.0-264. Deze staat er nu ruim een week op bij ons (2 stuks) en sinds die tijd zijn er problemen met het cluster. Ook het opnieuw opbouwen van het cluster werkt niet. Via leverancier melding gemaakt bij Cisco en daar bleek dit een bekend issue te zijn met deze versie. Wordt op dit moment nog onderzocht! Nog niet installeren dus wanneer je een cluster hebt draaien!
Ik herken inderdaad de problemen met de cluster-configuratie onder versie 11. Wij hebben inderdaad ook de virtuele varianten draaien. Ook wij hebben een case lopen bij TAC. Zou het hier niet juist om een hotfix gaan? Betreft namelijk een iets hogere build dan de normale deployment:
...
Deze firmware heet 11.0 Hot Patch 1 en kent 11.0.0-267 als exact versienummer
...
Klopt, viel mij ook op. Patch met dat nummer is echter niet beschikbaar op de appliance. Misschien is er een verschil tussen de software van bare metal appliances en de virtuele uitvoeringen.
cluster draait bij ons prima. na upgrade wel weer clusterconfig gedraait om het cluster weer te maken.
wel elk uur een melding over disconnect van de cluster nodes onderling. ook na overzetten van cluster communicatie naar ssh ipv cluster communication service.

heb je logconfig ssh hostkey scan <hostname_or_IP_address> uitgevoerd voor de migratie? ( staat in de release notes )


Om te kunnen reageren moet je ingelogd zijn


Apple iPhone X Google Pixel 2 XL LG W7 Samsung Galaxy S8 Google Pixel 2 Sony Bravia A1 OLED Microsoft Xbox One X Apple iPhone 8

© 1998 - 2017 de Persgroep Online Services B.V. Tweakers vormt samen met o.a. Autotrack en Hardware.Info de Persgroep Online Services B.V. Hosting door True

*