安全 : Cisco IronPort Email 安全设备

与安培的ESA得到“在网云的文件名誉服务是不可得到的”错误

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述警报归因于思科电子邮件安全工具(ESA)有对此(安培)启用的先进的恶意软件保护的服务不在安全套接字协议层(SSL)的地方端口443通信。

贡献用罗伯特Sherwin, Cisco TAC工程师。

更正在网云的“文件名誉服务是为安培接收的不可得到的”错误

安培发布为在ESA的使用在AsyncOS版本8.5.5和以上。 使用在ESA准许和启用的安培,管理员收到此消息:

The Warning message is:

amp The File Reputation service in the cloud is unreachable.

Last message occurred 2 times between Mon Jan 26 10:17:15 2015 and Mon Jan 26 10:18:16 2015.

Version: 8.5.6-092
Serial Number: 123A82F6780EEE9E1E10-AAA5DBEFCEEE
Timestamp: 26 Jan 2015 10:56:28 -0600

安培服务也许启用,但是不在端口443很可能通信。 

为了保证安培通信443,从CLI运行ampconfig >提前并且请务必Y选择为您要启用SSL通信(端口443)文件名誉的?[Y] >

> ampconfig

File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
Adobe Portable Document Format (PDF)
Microsoft Office 2007+ (Open XML)
Microsoft Office 97-2004 (OLE)
Microsoft Windows / DOS Executable


Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- CLEARCACHE - Clears the local File Reputation cache.
[]> advanced

Enter cloud query timeout?
[15]>

Enter cloud domain?
[a.immunet.com]>

Enter reputation cloud server pool?
[cloud-sa.amp.sourcefire.com]>

Do you want use the recommended reputation threshold from cloud service? [Y]>

Enter file analysis server URL?
[https://intel.api.sourcefire.com]>

Enter heartbeat interval?
[15]>

Do you want to enable SSL communication (port 443) for file reputation? [Y]>

Proxy server detail:
Server :
Port :
User :

Do you want to change proxy detail [N]>

如果使用GUI,请点击安全服务>文件名誉和分析> Edit全局设置>Advanced (下拉式)并且保证使用SSL复选框启用如显示此处:

确认您的配置的任意更改。

最后,请检查当前安培日志发现服务和连接成功或者失败。 您能从与尾标amp.的CLI完成此

在做的变动之前对ampconfig >在安培日志提前,您将看到此:

Mon Jan 26 10:11:16 2015 Warning: amp The File Reputation service in the cloud 
is unreachable.
Mon Jan 26 10:12:15 2015 Warning: amp The File Reputation service in the cloud
is unreachable.
Mon Jan 26 10:13:15 2015 Warning: amp The File Reputation service in the cloud
is unreachable.
Mon Jan 26 10:14:15 2015 Warning: amp The File Reputation service in the cloud
is unreachable.
Mon Jan 26 10:15:15 2015 Warning: amp The File Reputation service in the cloud
is unreachable.
Mon Jan 26 10:16:15 2015 Warning: amp The File Reputation service in the cloud
is unreachable.
Mon Jan 26 10:17:15 2015 Warning: amp The File Reputation service in the cloud
is unreachable.
Mon Jan 26 10:18:16 2015 Warning: amp The File Reputation service in the cloud
is unreachable.

在变动做对ampconfig >先进后,您在安培日志看到此:

Mon Jan 26 10:18:47 2015 Info: amp File reputation service initialized 
successfully
Mon Jan 26 10:18:47 2015 Info: amp File Analysis service initialized
successfully
Mon Jan 26 10:18:48 2015 Info: amp The File Analysis server is reachable
Mon Jan 26 10:19:19 2015 Info: amp stunnel process started pid [3725]
Mon Jan 26 10:19:22 2015 Info: amp The File Reputation service in the cloud
is reachable.
Mon Jan 26 10:19:22 2015 Info: amp File reputation service initialized
successfully
Mon Jan 26 10:19:22 2015 Info: amp File Analysis service initialized
successfully
Mon Jan 26 10:19:23 2015 Info: amp The File Analysis server is reachable
Mon Jan 26 10:20:24 2015 Info: amp File reputation query initiating. File Name =
'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Mon Jan 26 10:20:24 2015 Info: amp Response received for file reputation query
from Cloud. File Name = 'amp_watchdog.txt', MID = 0, Disposition = file unknown,
Malware = None, Reputation Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977
fa12c32d13bfbd78bbe27e95b245f82, upload_action = 1

amp_watchdog.txt文件显示在日志的每10分钟。此文件是一部分的keep-alive AMP.的。

在安培日志,一正常查询类似于此:

Wed Jan 14 15:33:01 2015 Info: File reputation query initiating. File Name = 
'securedoc_20150112T114401.html', MID = 703, File Size = 108769 bytes, File
Type = text/html
Wed Jan 14 15:33:02 2015 Info: Response received for file reputation query from
Cloud. File Name = 'securedoc_20150112T114401.html', MID = 703, Disposition = file
unknown, Malware = None, Reputation Score = 0, sha256 = c1afd8efe4eeb4e04551a8a0f5
533d80d4bec0205553465e997f9c672983346f, upload_action = 1

有此信息,您应该能关联消息ID (MID)在邮件日志。

故障排除

查看防火墙和网络设置为了保证SSL通信为这些打开:

波尔特协议In/out主机名说明
443TCP如安全服务>文件名誉和分析所配置的一样, Advanced部分。覆盖文件分析的服务的访问。
32137TCP如安全服务>文件名誉和分析所配置的一样, Advanced部分, Advanced部分, Cloud服务器池参数。覆盖获取的文件名誉服务的访问。

您能测试从您的ESA的基本连通性到网云服务443通过Telnet为了保证您的设备能成功地到达安培服务。

注意: 文件名誉和文件分析的地址在CLI配置与ampconfig >先进,或者从与安全服务>文件名誉和分析> Edit全局设置>Advanced的GUI (下拉式)

文件名誉示例:

ironport:service 36] telnet cloud-sa.amp.sourcefire.com 443
Trying 184.73.186.190...
Connected to cloud-sa.amp.sourcefire.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

文件分析示例:

ironport:service 37] telnet intel.api.sourcefire.com 443
Trying 198.148.79.52...
Connected to intel.api.sourcefire.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118785