300-720 Securing Email with Cisco Email Security Appliance (300-720 SESA) Questions and Answers

The correct order of commands to set filter 2 to active on the CLI of Cisco ESA is:

filters, which enters the message filter mode.

set, which sets the status of one or more message filters.

2, which specifies the message filter number.

1, which sets the status of message filter 2 to active.

The other options are not valid orders of commands to set filter 2 to active on the CLI of Cisco ESA, because they use incorrect commands or parameters.

Spam threshold is a setting that determines the minimum score that a message must have to be classified as spam by Cisco ESA. The lower the threshold, the more aggressive the spam detection is.

The content filter condition that checks to see if the “From: header” in the message is similar to any of the users in the content dictionary is Forged Email Detection. This condition compares the sender’s name or email address with a list of names or email addresses in a content dictionary and triggers an action if they match or are similar.  References : [Cisco Secure Email Gateway Administrator Guide - Forged Email Detection]

The feature that must be configured before an administrator can use the outbreak filter for nonviral threats is antispam. The outbreak filter relies on the antispam engine to detect and block nonviral threats, such as phishing, malware, or spam campaigns. You need to enable antispam scanning and configure the antispam settings before you can use the outbreak filter.

If the assigned certificate under one of the IP interfaces is modified, then the HTTPS traffic when connecting to the web user interface of the Cisco Secure Email Gateway will be impacted. The administrator must ensure that the certificate is valid and trusted by the browser or client that is used to access the web user interface. Otherwise , the connection may fail or generate a warning message.  References : [Cisco Secure Email Gateway Administrator Guide - Configuring Certificates]

To combat backscatter, which is a type of spam that consists of bounce messages sent to forged sender addresses, the administrator must enable the Bounce Verification feature under Security Settings. This feature allows the appliance to verify whether a bounce message is legitimate or not by checking if the original message was sent from the appliance. If not, the bounce message is considered as backscatter and can be dropped or quarantined.  References : [Cisco Secure Email Gateway Administrator Guide - Configuring Bounce Verification]

The purpose of checking the Certificate Revocation List (CRL) during SMTP authentication on a Cisco Secure Email Gateway is to check if the certificate is not revoked by the issuing Certificate Authority (CA). A revoked certificate means that it is no longer valid and should not be trusted. References = [User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Configuring SMTP Authentication [Cisco Secure Email Gateway] - Cisco]

 in the spam quarantine section, you can configure settings for access to the spam quarantine, and by default, HTTP uses port 82 and HTTPS uses port 83.

According to the User Guide 1 , the steps to configure End-User Access to the Spam Quarantine via LDAP are as follows:

On the ESA, choose System Administration > LDAP > LDAP Server Profile page.

Click Add LDAP Server Profile.

Enter a name for the profile and click Submit.

Click Add Query.

Enter a name for the query and click Submit.

Configure the query settings, such as server address, port number, base DN, scope, filter, and attributes.

Check the Spam Quarantine End-User Authentication Query check box. This is the suboption that enables LDAP authentication for end users who access the spam quarantine.

Check the Designate as the active query check box. This is the suboption that specifies which query to use for end-user authentication. Only one query can be active at a time.

Click Submit and commit changes.

On the ESA, choose Monitor > Spam Quarantine > End-User Quarantine Access.

Check the Enable End-User Quarantine Access check box.

Choose LDAP from the End-User Authentication drop-down list.

Select the LDAP profile and query that you created earlier from the drop-down lists.

Click Submit and commit changes.

A policy quarantine is a type of quarantine that allows Cisco ESA to store messages that match certain criteria, such as virus, spam, or DLP verdicts, for further review or release by an administrator or an end user.

A scenario that prevents a message from being sent to the quarantine as an action in the scan behavior on Cisco ESA is when a policy quarantine is missing, which means that no policy quarantine has been created or enabled on Cisco ESA.

The other options do not prevent a message from being sent to the quarantine as an action in the scan behavior on Cisco ESA.

The envelope sender and the envelope recipeint have a higher priority over the sender header when you match a message to a mail policy. If you configure a mail policy to match a specific user, the messages are automatically classified into the mail policy based on the envelo pe sender and the envelope recipient. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11- 1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01001.html

If the McAfee antivirus scanning is enabled on the Cisco Secure Email Gateway and the virus scanning action is set to “scan for viruses only”, then no repair is attempted, and the attachment is either dropped or delivered based on the antiv irus policy settings. The administrator can choose to drop or deliver the infected attachment by selecting the appropriate action in the antivirus policy.  References : [Cisco Secure Email Gateway Administrator Guide - Configuring McAfee Antivirus Scanning]

Load balancing and failover are two configurations that can be used on multiple LDAP servers to connect with Cisco ESA. Load balancing means that Cisco ESA will distribute the LDAP queries among the available LDAP servers in a round-robin fashion, improving the performance and efficiency of the LDAP queries. Failover means that Cisco ESA will switch to another LDAP server if the current one is unavailable or unresponsive, ensuring the continuity and reliability of the LDAP queries.

To encrypt SMTP with TLS on a Cisco Secure Email Gateway appliance when the sender requires TLS verification, the components that are required are an X.509 certificate and matching private key from a CA. The certificate must be signed by a trusted CA and contain the domain name or IP address of the listener in the Subject or Subject Alternative Name fields. The private key must be unencrypted and match the certificate.  References : [Cisco Secure Email Gatew ay Administrator Guide - Configuring TLS]

Message-filter order and MIME structure of the message are two factors that must be considered when message filter processing is configured on Cisco ESA. Message-filter order determines the sequence in which message filters are evaluated and applied to incoming messages, which can affect the final outcome of the filtering process. MIME structure of the message determines how message filters match against different parts of the message, such as headers, body, attachments, etc., which can affect the accuracy and performance of the filtering process.

The SPF record for mycompany.com is shown in the exhibit as:

v=spf1 a mx ip4:199.209.31.21 -all

This means that the domain mycompany.com authorizes the following sources to send email on its behalf:

The A record of mycompany.com, which resolves to 199.209.31.21

The MX record of mycompany.com, which points to mail.mycompany.com, which also resolves to 199.209.31.21

The IP address 199.209.31.21

The -all qualifier means that any other source is not authorized and should be rejected.

Therefore, the correct answer is C.

The recursion depth is the number of levels that the Cisco Secure Email Gateway will scan inside an archive file for executables and other file types. If the recursion depth is too low, some executables may not be detected and scanned by the content filter.  To allow the appliance to scan for executables inside the archive file and apply the action as per the content filter, you need to configure the recursion depth to a higher value 1 . References =  User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Configuring File Reputation Filtering and File Analysis [Ci sco Secure Email Gateway] - Cisco

Disabling the Local Spam Quarantine to Activate the External Quarantine If you were using a local spam quarantine before enabling an external spam quarantine, you must disable the local quarantine in order to send messages to the external quarantine. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0101010.html?bookSearch=true#con_1172419

Non-final actions are actions that do not terminate the message filter evaluation, such as adding headers, setting variables, logging, etc. Final actions are actions that end the message filter evaluation and determine the fate of the message, such as accept, drop, bounce, quarantine, etc.

Secure unsubscribe option for end users. Mimicking an unsubscribe option is a popular phishing technique. For this reason, the end users are generally wary of cl icking unknown unsubscribe links. For such scenarios, the cloud-based Unsubscribe Service extracts the original unsubscribe URI, checks the reputation of the URI, and then performs the unsubscribe process on behalf of the end user. This protects end users from malicious threats masquerading as unsubscribe links. https://www.cisco.com/c/en/us/td /docs/security/esa/esa14-2-1/User_Guide/b_ESA_Admin_Guide_14-2-1/b_ESA_Admin_Guide_12_1_chapter_01110.html#id_101033

To enable LDAP recipient verification on a Cisco Secure Email Gateway appliance, you need to configure the LDAP query on a listener and configure LDAP server profiles. The LDAP query specifies the criteria for matching recipient addresses against an LDAP directory.  The LDAP server profile defines the connection settings and authentication credentials for accessing an L DAP server 2 . References =  User Guide for AsyncOS 12.0 for Cisco Email Sec urity Appliances - GD (General Deployment) - Configuring LDAP Queries [Cisco Secure Email Gateway] - Cisco

The maximum message size that can be configured for encryption on the Cisco ESA is 25 MB. This is the default value for the Maximum Message Size for Encryption setting in the Encryption Profile. Messages that exceed this size will not be encrypted and will be delivered as normal.

If you store user information within LDAP directories in your network infrastructure you can configure the appliance to query your LDAP servers to accept, route, and authenticate messa ges. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11- 0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_011010.html

According to the [Cisco Secure Email User Guide] , graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[ 5 , p. 25]. Marketin g is one of the subcategories of graymail that includes messages that advertise products or services[ 5 , p. 26].

The other options are not valid because:

A. Malicious is not a category for classifying graymail. It is a category for classifying email message s that contain malicious content such as malware, phishing, or fraud[ 5 , p. 25].

C. Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[ 5 , p. 25].

D. Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[ 5 , p. 25].

A filter is a method that enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way. A filter is a rule that allows Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

To deliver a flagged message to a specific virtual gateway address using a filter, the engineer can create a content filter or message filter that matches the flag condition and applies an action of “deliver via alternate host” with the virtual gateway address as the parameter.

The other options are not methods that enable an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way, because they have more limitations or requirements than using a filter.

To allow the Cisco ESA to encrypt an email using the CRES (Cisco Registered Envelope Service), a provisioned email encryption profile must be configured on Cisco ESA. A provisioned email encryption profile is a type of encryption profile that specifies how messages are encrypted using CRES, such as the encryption key strength, the notification options, the branding settings, etc.

According to the [Cisco Secure Email User Guide], Non-Viral threat detection is a feature of Outbreak Filters that detects a nd blocks email messages that contain non-viral threats such as phishing, fraud, or social engineering[ 1 , p. 25]. To use this feature, you need to enable either AntiSpam or Intelligent Multi-Scan on your Cisco Secure Email Gateway, as these features provid e the necessary scanning and filtering capabilities for Non-Viral threat detection[ 1 , p. 26].

The other options are not valid because:

A. Non-Viral threat detection does not require Antivirus or AMP enablement to properly function. Antivirus and AMP are features that detect and block email messages that contain viral threats such as malware or ransomware[ 1 , p. 27-28].

B. The Outbreak Filters option Graymail Header does not affect Non-Viral threat detection. Graymail Header is an option that allows you to add a header to email messages that are classified as graymail, which are messages that are not spam but may be unwanted by some recipients, such as newsletters or promotions[ 1 , p. 25].

D. The Outbreak Filters option URL Rewriting does not affect Non-Viral threat detection. URL Rewriting is an option that allows you to rewrite the URLs in email messages to point to a Cisco proxy server, which can scan the URLs for malicious content and redirect the users to a warning page if needed[ 1 , p. 25].

According to the  User Guide for Cisco Secure Email Encryption Service Add-In 1 , the ‘Use-Script’ option allows you to use JavaScript in the encrypted message envelope. This option is enabled by default, but you can disable it if you want to send encrypted messages to recipients who have security policies that block JavaScript attachments[ 2 , p. 14].

The other options are not valid because:

A.  Inserting the X-PostX-Use-Script header with a value of false to the encrypted messages is not a supported feature of the Cisco Secure Email Encryption Service Add-in 1 .

B. Selecting JavaScript-free option within the Cisco Secure Email Encryption Service Add-in is not a valid option.  The add-in does not have such an option 1 .

C. Creating an outgoing conte nt filter and adding the Encrypt and Deliver Nov/ action with Use-Script option deselected is not possible. The Encrypt and Deliver Nov/ action does not have a Use-Script option[ 2 , p. 13].

To use DKIM for outbound email, the administrator must export the DNS TXT record from the Cisco Secure Email Gateway and provide it to the DNS registrar of the domain. This will allow the recipient servers to verify the DKIM signature of the email by querying the DNS rec ord of the sender domain.  References : [Cisco Secure Email Gateway Administrator Guide - Configuring DKIM Signing]

one of the methods to enable Cisco SecureX integration on a Cisco Secure Email Gateway appliance is to use the Threat Response service 1 .  This s ervice allows the appliance to send telemetry data to the SecureX cloud and provide visibility and response capabilities across multiple security products 1 .  To use this service, the administrator needs to perform the following steps 1 :

Enable the Threat Respons e service: The administrator needs to go to Network > Cloud Service Settings and enable the Threat Response service.  This will generate a registration token that can be use d to register the appliance with SecureX 1 .

Select the correct Threat Response Server: The administrator needs to select the appropriate Threat Response server based on the region where the appliance is located.  The availa ble regions are North America, Europe, and Asia Pacific 1 .

SPF verification is a feature that allows Cisco ESA to verify the authenticity of the sender’s domain by checking the sender’s IP address against a DNS record published by the domain owner. An SPF record is a TXT record that specifies the authorized IP addresses or hosts for sending emails from a domain, using a syntax of qualifiers, mechanisms, and modifiers.

The reason why the verification is not working properly is that SPF verification is disabled on the mail flow policy that applies to the messages sent from domain abc.com. A mail flow policy is a set of rules that determine how incoming or outgoing messages are processed by Cisco ESA, including whether to enable SPF verification or not.

To enable SPF verification on the mail flow policy, the administrator can follow these steps:

Select Mail Policies > Mail Flow Policies and click Edit Settings for the mail flow policy that applies to the messages sent from domain abc.com.

Under Sender Authentication, select Enable SPF Verification and choose an SPF conformance level from the drop-down menu.

Click Submit.

The other options are not valid reasons why the verification is not working properly, because they do not affect SPF verification on the mail flow policy.

Public/Private keypair. A public/private keypair is a pair of cryptographic keys that are used to generate and verify digital signatures. The private key is used to sign the email message, while the public key is used to verify the signature. The public ke y is published in a DNS record, while the private key is stored on the Cisco Secure Email Gateway appliance[ 1 , p. 2].

Domain signing profile. A domain signing profile is a configuration that specifies the domain and selector to use for signing outgoing mes sages, as well as the signing algorithm, canonicalization method, and header fields to include in the signature. You can create multiple domain signing profiles for different domains or subdomains[ 1 , p. 3].

The other options are not valid because:

A. DMARC verification profile is not a component for utilizing a digital signature in outgoing emails. It is a component for verifying the authenticity of incoming emails based on SPF and DKIM results[ 2 , p. 1].

B. SPF record is not a component for utilizing a digi tal signature in outgoing emails. It is a component for validating the sender IP address of incoming emails based on a list of authorized IP addresses published in a DNS record[ 3 , p. 1].

E. PKI certificate is not a component for utilizing a digital signatu re in outgoing emails. It is a component for encrypting and decrypting email messages based on a certificate authority that issues and validates certificates[ 4 , p. 1].

To use the centralized spam quarantine on the Cisco Secure Email and Web Manager appliance, the administrator must disable the local spam quarantine on the Cisco Secure Email Gateway appliances. This w ill prevent messages from being stored in both quarantines and avoid confusion for end users and administrators.  References : [Cisco Secure Email and Web Manager User Guide - Configuring Centralized Spam Quarantine]

Web reputation score is a feature that allows Cisco ESA to evaluate the reputation of URLs in messages based on real-time data from Talos intelligence and apply appropriate actions, such as block, quarantine, or deliver.

To ensure that Cisco ESA evaluates the web reputation score before permitting this email, the administrator should use two criteria to create a content filter or message filter that matches this email and applies an action of “check web reputation”:

Sender matches test1.com, which means that the sender’s domain name is test1.com.

Email body contains a URL, which means that the message body has one or more URLs in it.

The other options are not valid criteria to ensure that Cisco ESA evaluates the web reputation score before permitting this email, because they do not match this email or they are not relevant to web reputation score.

Message filters can only be applied to the ESA via command line. So, you will need command line access to the ESA.

Log into the ESA via command line.

Run the following highlighted commands to apply the message filter to the ESA:

ironport.example.com > filters

Choose the operation you want to perform:

- NEW - Create a new filter.

- IMPORT - Import a filter script from a file.

[] > NEW

Enter filter script. Enter ' . ' on its own line to end.

large_spam_no_attachment:

if ((body-size > 2097152) AND NOT (attachment-size > 0)) {

quarantine( " large_spam " );

log-entry( " *****This is a large message with no attachments***** " );

}

1 filters added.

The maximum attachment size to scan is a configuration on the scan behavior that determines the maximum size of an attachment that Cisco ESA will scan for viruses and malware. If an attachment exceeds this size, Cisco ESA will apply the configured action for unscannable messages, such as deliver, drop, or quarantine.

To allow the attachment to be scanned on the Cisco ESA, this configuration must be updated to a larger value than the attachment size, which is 10 MB according to the message header.

The other options are not valid configurations to allow the attachment to be scanned on the Cisco ESA, because they do not affect the maximum attachment size to scan.

Forged Email Detection is a feature that allows Cisco ESA to detect and block messages that spoof the display names of internal senders in the From header, such as executives or managers, to trick recipients into opening malicious or fraudulent emails. To configure this feature, two steps are required:

Configure a content dictionary with friendly names of internal senders that should not appear in the From header of external messages, such as Alpha Beta or John Smith.

Configure a filter to use the Forged Email Detection rule and dictionary, which will compare the display name in the From header of incoming messages with the entries in the content dictionary, and apply the configured action if a match is found.

The appliance enforces your organization’s policies for messages sent to and from your users through the use of mail policies. These are sets of rules that specify the types of suspect, sensitive, or malicious content that your organization may not want entering or leaving your network. This content may include:

-spam

-legitimate marketing messages

-graymail

-viruses

-phishing and other targeted mail attacks

-confidential corporate data

-personally identifiable information

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01001.html?bookSearch=true