Solution to URL Filter Scan Failure on Emails

Available Languages

Updated:February 13, 2018
Document ID:212717

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the scenarios and the solution for URL Filter Scan Failure on Cisco Emails. The URL filter is enabled on the Cisco Email Security Appliance (ESA), Cisco Cloud Email Security (CES) and scan fails.

    Problem

    The scenarios where URL filter scan fails are: 

    • Unable to obtain the URL Reputation and Category.

    • Unable to expand the shortened URLs in the message.

    • Number of URLs in the message body or message attachments exceeds the maximum URL scan limit.

    Note: URL filter scan failure action can only be applied on AsyncOS 11.1 and onwards.

    Solution

    There are no options in the message filter or content filter's conditions which is indicative of an option to handle failed URL filter scans.

    When URL filter scan fails, the ESA adds these header into the email:

    X-URL-LookUp-ScanningError  

    With Content Filters

    1. Navigate to the GUI > Incoming or Outgoing Content Filters.
    2. Verify the order of your content filters, the new filter created must be below your current URL filtering content filters.
    3. Click Add Filter...
    4. Name your filter and order it below your URL Filtering content filters.
    5. Click Add Condition...
    6. Select Other Header and the radio button Header Exists.
    7. On the Header Name: text box, add "X-URL-LookUp-ScanningError".
    8. Add your preferred action to this email.
    9. Submit and commit your changes.

    An example output of the sample content filter is as shown in the image.

    212717-how-do-i-take-action-on-messages-where-u-00.png

    With Message Filters

    Note: In order to take action on URL filter scan failure, URL filter must be done at the message filter level.

    1. Log into the CLI.
    2. Run the command filters.
    3. Run the command list.
    4. Note the order of your URL Filtering message filters.
    5. Run the command new.
    6. Insert the message filter in order to take the appropriate action on URL filter scan failure events. A sample filter is provided here.
    7. Optional: Run the command move and move this new filter under your current URL filter message filters.
    8. Submit and commit your changes.
    Unscannable_URL_Filter:
    if header("X-URL-LookUp-ScanningError")
    {
    edit-header-text("Subject", "(.*)", "[URL SCANNING ERROR]\\1");
    }
    .

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    13-Feb-2018
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Mathew Huynh
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products