This document describes the scenarios and the solution for URL Filter Scan Failure on Cisco Emails. The URL filter is enabled on the Cisco Email Security Appliance (ESA), Cisco Cloud Email Security (CES) and scan fails.
The scenarios where URL filter scan fails are:
Unable to obtain the URL Reputation and Category.
Unable to expand the shortened URLs in the message.
Number of URLs in the message body or message attachments exceeds the maximum URL scan limit.
Note: URL filter scan failure action can only be applied on AsyncOS 11.1 and onwards.
There are no options in the message filter or content filter's conditions which is indicative of an option to handle failed URL filter scans.
When URL filter scan fails, the ESA adds these header into the email:
With Content Filters
Navigate to the GUI > Incoming or Outgoing Content Filters.
Verify the order of your content filters, the new filter created must be below your current URL filtering content filters.
Click Add Filter...
Name your filter and order it below your URL Filtering content filters.
Click Add Condition...
Select Other Header and the radio button Header Exists.
On the Header Name: text box, add "X-URL-LookUp-ScanningError".
Add your preferred action to this email.
Submit and commit your changes.
An example output of the sample content filter is as shown in the image.
With Message Filters
Note: In order to take action on URL filter scan failure, URL filter must be done at the message filter level.
Log into the CLI.
Run the command filters.
Run the command list.
Note the order of your URL Filtering message filters.
Run the command new.
Insert the message filter in order to take the appropriate action on URL filter scan failure events. A sample filter is provided here.
Optional: Run the command move and move this new filter under your current URL filter message filters.