Cisco IronPort C-series / ESA CLI Cheat Sheet - 20130314 Infos and status

Jens Roesen email www - twitter hoststatus domain Prompt, cluster and command modes, default user & password, contacts The CLI command prompt is represented by the machine's fully qualified domain name (FQDN) followed by a '>': esa1.example.com> Being part of a cluster, the prompt will indicate the current mode: (Machine esa1.example.com)> vs. (Cluster Example.com-Cluster)> Some commands are restricted to cluster or machine mode, some may be run in any mode. If necessary, the ESA will prompt you for a change of mode. If interactive commands require additional input from the user, the prompt will change to opening and closing square brackets enclosing a default value, if available. Some commands like dig or aliasconfig support a batch mode allowing you to run a complete command with one single-line command input: esa1.example.com> dig -t mx example.com On a new ESA the default username is admin and it's password is ironport. Send undetected spam to spam@access.ironport.com, false positives to ham@access.ironport.com, missed ads to ads@access.ironport.com and false positive ads to not_ads@access.ironport.com. Send each as RFC822 MIME encoded attachment. See Knowledge Base article 472: http://bit.ly/XInXev Basic commands help command who whoami passwd last showchanges clear commit clustermode shutdown reboot exit / quit Infos and status version ipcheck status detail commitdetail antispamstatus antivirusstatus repengstatus vofstatus outbreakstatus sbstatus encryptionstatus workqueue status workqueue rate n topin rate n hostrate domain n tophosts View statistics for domain including MX settings and latest 5xx delivery error. View the top 20 destination domains in the mail queue. Can be sorted by active recipients, outgoing connections, delivered recipients, hard and soft bounces. View, activate and check for new feature keys. Show DNS statistics since counter reset / reboot / ever. Reset all counters of a single machine.

Configuring SMTP smtproutes listenerconfig deliveryconfig destconfig altsrchost bounceconfig policyconfig textconfig filters sievechar

Add, delete, edit and view SMTP routing. View, create, edit or delete public, private or blackhole listeners. Supports batch mode. Configure mail delivery settings. Configure destination control limits for a specified domain. View, create and modify virtual gateway mappings for sender addresses or client IPs. Create and modify bounce profiles. Configure and manage incoming and outgoing mail policies Configure text blocks for use in disclaimers, anti-virus alerts, DLP, encryption notifications or bounces. Create, edit and view message filters. Configure the char used for sieve mail filtering. Only used in LDAP Accept and LDAP Routing.

featurekey dnsstatus resetcounters

Test network and configuration ping Test network by sending a ping to a remote host. traceroute telnet dig nslookup packetcapture tcpdump netstat mailconfig trace ldaptest dnslisttest tlsverify View network path / routing to a remote host. Telnet to a remote host. Defaults to port 25, not 23! Run DNS queries. Supports batch mode. Run DNS queries. Start a packet capture in AsyncOS versions up from 7.2. Start a packet capture in AsyncOS versions up to 7.1. Display current network connections, network statistics, interface status, listen queue size or routing table. Send a mail with the XML configuration attached. Trace the mail flow through the system with a virtual test mail. Run an LDAP query against a configured LDAP server. Manually test an IP against a DNS-based blacklist. Test and verify a TLS connection to a remote MTA.

dictionaryconfig Create and manage content dictionaries. sslconfig Configure SSL for HTTPS WUI access and inbound / outbound SMTP TLS connections (SSL Versions, Ciphers). certconfig Manage certificates in PEM format and CA. callaheadconfig addressconfig Configure, edit, view and test SMTP Call-Ahead feature. Set sender address to be used for mails generated by the system like bounces and notifications.

View help messages for command. Show a list of currently logged in users. Show name and groups for own user. Change password for the current user. Show list of recently logged in users and session dates. View pending config changes as nested tree structure. Abandon all pending configuration changes. Commit pending configuration changes. Switch between machine, cluster and group mode. Shut down and power-off the appliance. Reboot the appliance. DO NOT USE reload LIKE IN CISCO IOS! reload WILL RESET ALL SETTINGS! Exit CLI. Will warn you about uncommitted changes. Show brief hardware and software information. Show extended hardware and software information. View detailed system status. View details about the last commit in the active session. Show status and latest updates for all enabled anti-spam engines. Show status and latest updates for all active antivirus engines. Show version and latest updates for SBRS engines. Show status of Virus Outbreak Filters. Since AsyncOS Version 7.5 the command is called outbreakstatus. Show SenderBase status. Show PXE engine status and last engine update. Display current work queue status. Display number of pending, incoming and outgoing mails in the queue and refresh every n seconds. View hop hosts by number of incoming connections. Display in/out connections and recipient statistics. Updated every n seconds. Similar to rate but limited to a single destination domain.

Managing message queues and mails workqueue status Display current work queue status. workqueue rate n showrecipients deleterecipients bouncerecipients Display number of pending, incoming and outgoing mails in the queue and refresh every n seconds. Show messages from the queue by recipient host name, sender address or all mails in the queue. Delete messages from the queue by recipient host name, sender address or all mails in the queue. Bounce messages from the queue by recipient host name, sender address or all mails in the queue.

General configuration systemsetup Run the system setup wizard. This will remove any existing listener and associated HAT configuration. userconfig View and manage users and external authentication. adminaccessconfig Configure banner message and restrict access to the ESA based on IP ranges. interfaceconfig Add, delete and edit IP interface settings (IPv4 and IPv6). etherconfig sethostname setgateway routeconfig dnsconfig ldapconfig snmpconfig ntpconfig sshconfig sslconfig settz tzupdate settime alertconfig addressconfig Configure ethernet settings like speed and duplex mode, VLANs or NIC pairing. Set system hostname. Set default gateway. Configure static network routes. Configure DNS servers and domain DNS settings. Supports batch mode. Create, delete and manage LDAP server profiles. Enable SNMP, set community string and password, define trap targets. Configure NTP Servers and source interface for NTP queries. Configure sshd settings and view, add, delete or modify SSH keys used for SSH access. Configure SSL Settings for HTTPS WUI access and inbound/outbound SMTP TLS connections. Setup time zone. Update time zone rules. Set system time and date as MM/DD/YYYY HH:MM:SS Configure mail alert settings and mail alert recipients. Set sender address to be used for mails generated by the system like bounces and notifications.

redirectrecipients Redirect all mails to a relay host. showmessage Show a complete message by MID in ASCII. archivemessage removemessage oldmessage delivernow unsubscribe stripheaders Archive a message by it's MID as mbox file to the /configuration directory. Remove a message from work, retry or destination queue. Display Headers and MID of the oldest message in the queue. Attempt to deliver pending messages either by domain or simply reschedule all mails. Manage unsubscribe lists for recipient addresses that will always be bounced or dropped. Strip all headers by name in this table from all mails.

Suspending and resuming receiving and/or delivering mails workqueue pause Pause working queue. workqueue resume suspendlistener resumelistener suspenddel resumedel suspend resume Resume working queue. Suspend receiving mails on one, several or all listeners. Shut down won't be graceful. Resume receiving mails on one, several or all listeners. Suspend delivering mails. Shut down won't be graceful. Resume delivering mails. Suspend receiving and delivering all mails. Shut down won't be graceful. Resume receiving and delivering all mails.

Licensed under Creative Commons BY NC SA . Latest version of the sheet is available at http://bit.ly/ESAcli. IronPort, AsyncOS, IOS and SenderBase are all registered trademarks of Cisco Systems, Inc.

ESA configuration files showconfig View XML configuration file as paged output. mailconfig Send XML configuration file via mail. saveconfig loadconfig resetconfig Working with logs grep findevent tail rollovernow logconfig Managing engines updateconfig antispamconfig antispamupdate antivirusconfig antivirusupdate scanconfig outbreakconfig vofconfig outbreakupdate vofconfig outbreakflush vofconfig repengupdate senderbaseconfig Save XML configuration file in the /configuration directory. Load XML configuration file from the /configuration directory or paste it directly into the CLI. Reset ALL configuration to factory default. Search for a Regular Expression pattern inside a log file. Supports batch mode. Find an event in the logs matching either a message id, a mail address (From/To) or a subject. Menu driven or batch mode. Continuously display new entries from the end of a log file. Do a rollover on one certain or simply all log files. Configure and manage log files and delivery methods (FTP, SCP, Syslog). View public RSA/DSS key from users. Configure update URLs and HTTP/HTTPS proxies to use. This will also affect AsyncOS updates. Configure IronPort anti-spam and Intelligent Multi-Scan. Manually request immediate anti-spam rules update. Configure and view anti-virus settings and scanners. Manually request immediate anti-virus definitions update. Configure scanner options like skipped file types, scanning depth (nesting), maximum scan size, scanner timeout. Enable, disable and configure Outbreak Filters. From AsyncOS 7.5 up the command is called outbreakconfig. Request immediate update of CASE rules and engine. From AsyncOS 7.5 up the command is called outbreakupdate. Clear CASE rules cache. From AsyncOS 7.5 up the command is called outbreakflush. Manually request immediate SBRS engine update. Configure SenderBase SBNP statistics sharing status.

Message Filter conditions (See ESA Advanced Guide for more info + examples) subject Tests subject against a RegExp. body-size mail-from mail-from-group sendergroup rcpt-to rcpt-to-group remote-ip recv-int recv-listener date header(<string>) random(<integer>) rcpt-count addr-count() spf-status spf-passed image-verdict workqueue-count body-contains(<regexp>) Tests size of entire message in bytes. Tests envelope sender against a RegExp. Tests envelope sender against LDAP group. Tests against a HAT sendergroup name. Test senvelope recipients against a RegExp. Tests envelope recipients with LDAP group. Tests client IP for exact or IP range match. Matches mails received on the named interface/listener. Tests current date against value in US date format: MM/DD/YYYY HH:MM:SS Tests the given header against a RegExp. Compares a random integer to given value. Checks recipient count against value. Compares recipient count from header (To: and/or Cc:) against value. Checks the SPF status. Checks if SPF verification was successful. Scans attached images for category match. Checks number of mails in the workqueue. Checks mail and attachments for a RegExp.

Message Filter conditions (See ESA Advanced Guide for more info + examples) valid Tests mail for complete MIME validity. signed signed-certificate(<field> [<operator> <regexp>]) Tests if the message is S/MIME signed. Checks S/MIME messages for <regexp> matching or not matching (<operator>) X.509 certificate issuer or signer (<field>).

Message Filter actions (See ESA Advanced Guide for more info + examples) alt-src-host() Deliver mail from this named interface. alt-rcpt-to() alt-mailhost() notify() notify-copy() bcc() bcc-scan() log-entry() quarantine(<name>) archive(<filename>) duplicatequarantine(<name>) strip-header() insert-header() add-footer(<footer>) bounce-profile() encrypt-deferred() tag-message(<name>) skip-filters() skip-spamcheck() skip-viruscheck() skip-vofcheck() Change all recipients of a message. Deliver mail vial alternate mail host. Notify specified recipient about a message (and include a copy of the original message). Send a copy of this message to a new recipient. Treat the copy like a new mail and scan again. Add a log message at INFO level to mail logs. Send this mail to the named quarantine. Save copy of the message in mbox format file. Send copy of this mail to the named quarantine. Look for a header and remove it. Insert a header and its value into the mail. Add the footer named <footer> to the mail. Apply a bounce profile to the mail. Encrypt message before final delivery. Add tag <name> for RSA DLS policy filtering. Skip all remaining message filters. Skip all anti spam checks for this mail. Skip all anti virus checks for this mail.

only-body-contains(<regexp>) Checks message body for a RegExp. encrypted Tests if a message is S/MIME or PGP encrypted. attachment-filename Tests a file name against a RegExp. attachment-type attachment-filetype attachment-mimetype attachment-protected attachment-unprotected attachment-contains() Checks for MIME file type by signature. Matches a file type fingerprint (not MIME). Checks MIME file type against type from MIME header. Looks for password protected or encrypted attachments. Looks for unprotected attachments. Tests attachment for the given pattern.

Skip all outbreak filters for this mail. drop-attachments-by-name() Drop all attachments with matching filename. drop-attachments-by-type() Drop all attachments with matching MIME type. drop-attachments-byfiletype() drop-attachments-bymimetype() Drop all attachments with matching file type determined by type fingerprint. Drop all attachments with matching MIME type. Does not match on extension or scan archives.

AsyncOS management updateconfig Configure update URLs and HTTP/HTTPS proxies to use. This will also affect Anti-Spam and Anti-Virus updates. upgrade List all available AsyncOS versions and perform an upgrade. Appliance needs a reboot afterwards. Verbose upgrade information will be displayed on the serial console. revert Revert the appliance to a previously used AsyncOS version. Except network settings ALL configurations and logs will be lost in the process. Cisco IronPort Support and advanced diagnostics supportrequest Open a support request with Cisco TAC. techsupport diagnostic Enable or disable a (secured) tunnel for Cisco IronPort Support to access the appliance remotely. Check RAID status, flush DNS/ARP/LDAP caches, test remote SMTP servers or check disk quota and usage.

attachment-binary-contains() Tests raw binary attachment for pattern. every-attachment-contains() Tests every attachment of a message for a given pattern. attachment-size Matches attachments by size in B, K or M. dnslist(<server>) reputation no-reputation dictionary-match(<dict>) <position>-dictionarymatch(<dict>) Looks at server for a match in a DNSBL. Compares sender's SB reputation to value. True when SB reputation is none. Look in body for RegExp match from named dictionary <dict>. Looks in <position> of a message for a RegExp match from the dictionary named <dict>. <position> can be: subject, mail-from, rcpt-to, attachment, body Looks in header <header> for RegExp match from dictionary named <dict>. Checks sender in envelope and mail header (From: or Sender:) against the sender's SMTP authentication user ID. True is true and therefore matches all mails.

drop-attachments-by-size() Drop attachment by examining raw size. drop-attachments-whereDrop attachments that match a regular contains(<regexp>) expression. Also matches files in archives. drop-attachments-whereDrop attachments that match a term in the dictionary-match(<dict>) dictionary <dict>. html-convert() edit-header-text() edit-body-text() add-footer() deliver() drop() bounce() Strip all HTML tags from a message. Substitute a matched RegExp within a header. Substitute a matched RegExp within a body. Add the named footer to the end of the mail. Deliver the message. Final action. Drop the message. Final action. Bounce the message. Final action.

Centralized Management Cluster clusterconfig Create SSH or CSS clusters, add or remove single ESAs to or from a cluster. Create and manage cluster groups. List machines in cluster and view cluster and connection status. clustercheck Check configuration databases for inconsistencies and resolve them if necessary.

header-dictionarymatch(<dict>, <header>) smtp-auth-idmatches(<header> [, <sievechar>]) true

Message Filter example drop_huge_presentations: if (mail-from-group == "Sales") AND (attachment-filename == "(?i)\\.(ppt|pptx)$") AND (attachment-size >= 10M) { drop-attachments-where-contains ("(?i)\\.(ppt|pptx)$", "Large presentation dropped."); }