Using Sub Configuration Masters

You can now configure subsets of a particular version of the Configuration Master to centrally manage the different policy configurations of your Web Security appliance.

For more information, see Managing Web Security Appliances.

New Web Interface for Reporting, Quarantine and Tracking

The appliance now has a new web interface to search and view:

• Email Reports. You can now view email reports from the Reports drop-down based on the following categories:

  • Email Threat Reports

  • File and Malware Reports

  • Connection and Flow Reports

  • User Reports

  • Filter Reports

  For more information, see chapter Using Centralized Email Security Reporting.

• Spam Quarantine

  • You can now view and search for spam and suspected spam messages in Quarantine > Spam Quarantine > Search page in the web interface.

  • You can view, add and search for domains added in the safelist and blocklist in Quarantine > Spam Quarantine > Safelist or Blocklist page in the web interface.

  For more information, see chapter Spam Quarantine.

• Policy, Virus and Outbreak Quarantines. You can view and search for policy, virus and outbreak quarantines in Quarantine > Other Quarantine > Search page in the web interface. For more information, see chapter Centralized Policy, Virus, and Outbreak Quarantines.

• Message Tracking. You can search for messages or a group of messages depending on your search criteria in Tracking > Search page in the web interface. For more information, see chapter Tracking Messages.

The trailblazerconfig CLI Command

You can use the trailblazerconfig command to route your incoming and outgoing connections through HTTP and HTTPS ports on the new web interface.

For more information, see The trailblazerconfig Command.

Encrypting sensitive information on the appliance

You can use the adminaccessconfig > encryptconfig sub command in the CLI to configure encryption of sensitive information on your appliance.

Message Tracking Enhancement

You can now search for messages based on the “Reply-To” header of the message.

For more information, see Tracking Messages.

Support for new features in AsyncOS 12.0 for Cisco Email Security Appliances

You can now view the following reports on the Reporting page of the Security Management appliance:

• External Threat Feeds

• Sender Domain Reputation

For more information, see Understanding the Email Reporting Pages on the New Web Interface.

You can now view outgoing TLS connections summary for DANE Success and DANE Failure scenarios. For more information, see section SMTP DNS-based Authentication of Named Entities of the User Guide or Online Help for AsyncOS 12.0 for Cisco Email Security Appliances.

You can now use the following message events to search for messages on the Message Tracking page of the Security Management appliance:

• External Threat Feeds

• Sender Domain Reputation

• DANE Failure

Advanced Malware Protection Report Enhancements

The Advanced Malware Protection report page has the following enhancements:

• A new section - Incoming Malware Files by Category to view the percentage of blacklisted file SHAs received from the AMP for Endpoints console that are categorised as Custom Detection.

  The threat name of a blacklisted file SHA obtained from AMP for Endpoints console is displayed as Simple Custom Detection in the Incoming Malware Threat Files section of the report.

• A new section - Incoming Malware Files by Category to view the percentage of blacklisted file SHAs based on the threshold settings that are categorised as Custom Threshold.

• You can click on the link in the More Details section of the report to view the file trajectory details of a blacklisted file SHA in the AMP for Endpoints console.

• A new verdict – Low Risk is introduced when no dynamic content is found in a file after file analysis. You can view the verdict details in the Incoming Files Handed by AMP section of the report.

See Advanced Malware Protection Page.

New Web Interface for Web Reporting and Tracking

The appliance now has a new web interface to search and view:

• Web Reports

  You can now view web based reports from the Reports drop-down based on the following categories:

  • General Reports

  • Threats Reports

• Web Tracking

  You can search for web transactions depending on your search criteria. On your Security Management appliance , click on the Web dropdown and choose Tracking > Web Tracking Search page.

For more information, see chapter Using Centralized Web Reporting and Tracking.

Metrics Bar Widget

The Metrics Bar widget enables you to view the real time data of the file analysis done by the Cisco Threat Grid appliance on the Advanced Malware Protection report page.

For more information, see Advanced Malware Protection Page.

HTTPS Reports Page

You can now view the overall aggrgation of the HTTP/HTTPS traffic and the summary of the ciphers based on the client and server side connection for each HTTP/HTTPS traffic, on the HTTPS Reports report page.

For more information, see Using Centralized Web Reporting and Tracking.

Integrating the Appliance with Cisco Threat Response Portal

You can integrate your appliance with Cisco Threat Response portal, and perform the following actions in Cisco Threat Response portal:

• View the message tracking data from multiple appliances in your organization.

• Identify, investigate and remediate threats observed in the message tracking.

• Resolve the identified threats rapidly and provide recommended actions to take against the identified threats.

• Document the threats in the portal to save the investigation, and enable collaboration of information among other devices on the portal.

For more information, see Assigning Network and IP Addresses.

Web Traffic Tap Policies

Cisco Content Security Management appliance now allows you to set Web Traffic Tap Policies. You can define the Web Traffic Tap Policies based on which web traffic that passes through theWeb Security appliance will be tapped.

You must enable the Web Traffic Tap feature in Web Security appliance to set Web Traffic Tap Policies in Security Management appliance.

The Web Overview report page now includes sections on Web Traffic Tap Status, Web Traffic Tap Summary, Tapped HTTP/HTTPS Traffic, and Tapped Traffic Summary. See Web Reporting Overview.

Support for the Office 365 Web Service External URL Categories feature in AsyncOS for Cisco Web Security Appliances

This release supports the Office 365 Web Service External URL Categories feature in AsyncOS for Cisco Web Security Appliances.

For more information, see Using Centralized Web Reporting and Tracking.

Change in Report Pages

The following reports are changed on the new web interface, in this release:

• Overview report page is renamed to Mail Flow Summary.

• Outbreak Filters report page is renamed to Outbreak Filtering.

• Virus Types report page is renamed to Virus Filtering.

• Advanced Malware Protection, AMP File Analysis, AMP Verdict Updates and Mailbox Auto Remediation report pages are merged as Advanced Malware Protection.

• Incoming Mail and Outgoing Senders report pages are merged as Mail Flow Details.

• TLS Connections report page is renamed to TLS Encryption.

• Geo-Distribution report page is renamed to Connection by Country.

• Internal Users report page is renamed to User Mail Summary.

• Web Interaction Tracking report page is renamed to Web Interaction.

For more information, see Understanding the Email Reporting Pages on the New Web Interface.

Changes in Spam Quarantine

The administrative users can now access the Spam Quarantine page on the new web interface of the appliance.

You can click Quarantine > Spam Quarantine > Search page to access the Spam Quarantine page.

The end-users can now access the Spam Quarantine portal on the new web interface, For more information, see Accessing the Web Interface.

You will now recieve spam notifications with links to the new web interface. Make sure that you have enabled AsyncOS API HTTP/HTTPS ports and HTTP/HTTPS service on the appliance.

If you are using spam quarantine on the any other interface (Data 1), then you must set it as the default interface.

If the trailblazerconfig is enabled, then you must enable the AsyncOS API ports (HTTP/HTTPS) and HTTP/HTTPS service on the (Data 1) interface. If the trailblazerconfig is disabled, then you must enable the AsyncOS API ports (HTTP/HTTPS) on the (Data 1) interface.

For more information, see The trailblazerconfig Command.

Encrypting Passphrases

After you upgrade to this release, you can encrypt the user’s passphrases when updating the configuration files on the appliance.

To encrypt the passphrase, do one of the following:

• On the System Administration > Configuration File page, select the Encrypt passphrases in the Configuration Files checkbox.

• Use the saveconfig command in the CLI to encrypt the passphrase.

Changing the User's Passphrase After Expiry

Users are prompted to change the passphrase after the user account is expired. For more information, see Changing the User’s Passphrase After Expiry.

Changes in Demo Certificates

Prior to this release, the appliance was pre-configured with a demonstration certificate to enable the TLS connections. After you upgrade to this release, the appliance generates a unique certificate to enable TLS connection. The existing demonstration certificate that is used in the following configurations are replaced with the new certificate:

• Mail Delivery

• LDAP

• Networking

• URL Filtering

• SMTP Services

Landing Page

After you log in to the Cloud Email Security Management Console, the Mail Flow Summary page is displayed.

After you log in to the appliance, the System Status page is displayed.

Product Drop-down

You can switch between the Email Security Appliance and the Web Security Appliance from the Product drop-down.

For more information, see Using the Interactive Report Pages.

You can use the Email or Web tab to switch between the Email Security Appliance and the Web Security Appliance.

Reports Drop-down

You can view reports for your Email and Web Security Appliances from the Reports drop-down.

For more information, see Using the Interactive Report Pages.

You can view reports for your Email and Web Security Appliances from the Reporting drop-down menu.

Management Appliance Tab

Click on the Cloud Email Security Management Console to access the Management Appliance tab.

You can enable and configure reporting, message tracking and quarantines, as well as configure network access, and monitor system status.

My Reports Page

Click on the Cloud Email Security Management Console and choose Email > Reporting > My Reports to access the My Reports page.

You can customize your reports dashboard by assembling charts (graphs) and tables from existing report pages.

Reporting Data Availability Page

Click on the Cloud Email Security Management Console and choose Email > Reporting > Reporting Data Availability to access the Reporting Data Availability page.

You can view, update and sort data to provide real-time visibility into resource utilization and email traffic trouble spots.

Scheduling & Archiving Reports

Click on the Cloud Email Security Management Console and choose Email > Reporting > Scheduled Reports to schedule your reports.

Click on the Cloud Email Security Management Console and choose Email > Reporting > Archive Reports to archive your reports.

You can schedule reports using the Email > Reporting > Scheduled Reports page, and archive your reports using the Email > Reporting > Archived Report page of the Security Management appliance.

Reporting Overview Page

The Email Reporting Overview page on the Security Management appliance has been redesigned as Mail Flow Summary page in the new web interface. The Mail Flow Summary page includes trend graphs and summary tables for incoming and outgoing messages.

The Email Reporting Overview page on the Security Management appliance provides a synopsis of the email message activity from your Email Security appliances. The Overview page includes graphs and summary tables for the incoming and outgoing messages.

Advanced Malware Protection Report Pages

The following sections are available on the Advanced Malware Protection report page of the Reports menu:

• Summary

• AMP File Reputation

• File Analysis

• File Retrospection

• Mailbox Auto Remediation

The Email > Reporting drop-down menu of the Security Management appliance has the following Advanced Malware Protection report pages:

• Advanced Malware Protection

• AMP File Analysis

• AMP Verdict Updates

• Mailbox Auto Remediation

Outbreak Filters Page

The Past Year Virus Outbreaks and Past Year Virus Outbreak Summary are not available in the Outbreak Filtering report page of the new web interface.

The Email > Reporting Outbreak Filters page displays the Past Year Virus Outbreaks and Past Year Virus Outbreak Summary.

Spam Quarantines (Administrative and End Users)

Click Quarantine > Spam Quarantine > Search in the new web interface.

The end users can access the spam quarantine using the URL: https://example.com:<https-api-port>/euq-login

where example.com is the appliance hostname and <https-api-port> is the AsyncOS API HTTPS port opened on the firewall.

-

Policy, Virus and Outbreak Quarantines

Click Quarantine > Other Quarantine in the new web interface.

You can only view Policy, Virus and Outbreak Quarantines in the new web interface.

You can view, configure and modify the Policy, Virus and Outbreak Quarantines on the appliance.

Select All Action for Messages in Quarantine

You can select multiple (or all) messages and perform a message action such as delete, delay, release, move, etc.

You cannot select multiple messages to perform a message action.

Maximum Download Limit for Attachments

The maximum limit for downloading attachments of a quarantined message is restricted to 25 MB.

-

Rejected Connections

To search for rejected connections, click Tracking > Search > Rejected Connection tab on the Cloud Email Security Management Console.

-

Query Settings

The Query Settings field of the Message Tracking feature is not available on the Cloud Email Security Management Console.

You can set the query timeout in the Query Settings field of the Message Tracking feature.

Message Tracking Data Availability

Click on the Cloud Email Security Management Console and choose Email > Message Tracking > Message Tracking Data Availability to access Message Tracking Data Availability page.

You can view the missing-data intervals for your appliance.

Show Additional Details of Messages

You can view additional details of a message such as Verdict Charts, Last State, Sender Groups, Sender IP, SBRS Score and Policy Match details.

-

Verdict Charts and Last State Verdicts

Verdict Chart displays information of the various possible verdicts triggered by each engine in your appliance.

Last State of the message determines the final verdict triggered after all the possible verdicts of the engine.

Verdict Charts and Last State Verdicts of the messages are not available.

Message Attachments and Host Names in Message Details

Message attachments and host names are not displayed in the Message Details section of the message on the Cloud Email Security Management Console

Message attachments and host names are displayed in the Message Details section of the message.

Sender Groups, Sender IP, SBRS Score and Policy Match in Message Details

Sender Groups, Sender IP, SBRS Score, and Policy Match details of the message is displayed in the Message Details section, on the Cloud Email Security Management Console.

Sender Groups, Sender IP, SBRS Score, and Policy Match of the message is not available in the Message Details section of the message.

Direction of the Message (Incoming or Outgoing)

Direction of the message (incoming or outgoing) is displayed in the message tracking results page, on the Cloud Email Security Management Console.

Direction of the message (incoming or outgoing) is not displayed in the message tracking results page.