Home Cisco Getting Started with Cisco IronPort Email Security Gateway

Getting Started with Cisco IronPort Email Security Gateway


Getting Started with Cisco IronPort Email Security Gateway :-

Email is now a primary way of communication between organization. So as a Network Security administrator, it’s our primary goal to secure the Email communication of our Organization.

The relentless and unprecedented growth in unwanted email now poses an unexpected security threat to the network. As the amount of resources (disk space, network bandwidth, CPU) devoted to handling unsolicited emails increases from year to year, employees waste more and more time sorting through unsolicited bulk email commonly known as spam.

Before starting about Ironport Email Security gateway, it’s important for us to understand the Anti-Spam terminology and features. 

Content based Anti-Spam The core of the Anti-Spam functionality is the contentbased classification engine.
IP Reputation Anti-Spam Using an IP reputation service, most of the incomingspam is blocked at connect time.
Block List Anti-Spam Block specific senders based on IP address or sender’saddress.
Mail Anti-Virus Scan and filter mail for malware.
Zero Hour MalwareProtection Filter mail using rapid response signatures.
IPS Intrusion prevention system for mail protection.


Cisco ironport AntiSpam Features :-

Real-Time Threat Intelligence :-

The Cisco Email Security Appliance (ESA) is powered by Cisco Security Intelligence Operations (SIO), our industry-leading threat intelligence organization.

Cisco SIO detects and correlates threats in real time using the largest threat detection network in the world. It monitors 100 TB of daily security intelligence, 1.6 million deployed security devices, 13 billion daily web requests, and 35 percent of worldwide email traffic.

Cisco SIO prevents zero-hour attacks by continually generating new rules that feed updates to the Cisco ESA. These updates occur every three to five minutes to provide industry-leading threat defense hours and even days ahead of competitors.

Advanced Malware Protection :-

ESA now includes Advanced Malware Protection (AMP), a malware defeating solution that takes full advantage of the vast cloud security intelligence network of Sourcefire (now a part of Cisco).

ESA delivers protection across the attack continuum—before, during, and after an attack—with malware detection and blocking, continuous analysis, and retrospective alerting. Users can block more attacks, track suspicious files, mitigate the scope of an outbreak and remediate faster.

Cisco Iron port Anti-spam Workflow :-


Now it’s important for us to know the MS-record and Web-reputation of particular domain . In my case i want to use Cisco.com as my example domain.

What is an MX record?
An MX (Mail eXchange) record will redirect email sent to any user’s machine ([email protected], for example) to a designated mailhost. It tells the MDA where to route email.

The MX record uses preference values to specify the routing order–low value = high priority. In the example below, when mail is sent to norbert.dept1.cornell.edu the MDA (see Mail Delivery Agent above) tries to reroute the mail to mailhost.dept1.cornell.edu which has the lowest value, and therefore the highest priority. If that fails, it tries mailhost2.dept1.cornell.edu and finally mailhost3.dept1.cornell.edu.

norbert.dept1.cornell.edu 86400 A
norbert.dept1.cornell.edu 86400 MX 10 mailhost.dept1.cornell.edu
norbert.dept1.cornell.edu 86400 MX 20 mailhost2.dept1.cornell.edu
norbert.dept1.cornell.edu 86400 MX 30 mailhost3.dept1.cornell.edu

Source :- https://dnsdb.cit.cornell.edu/explain_mx.html

Cisco MX Record Info :-

To find out the MX record of Cisco.com open the http://mxtoolbox.com/ and enter the domain name and click on the MX Lookup tab to find out the record.


It will show you information about Hostname of domain , IP address and DNS provider information. As you seen below cisco.com domain is hosted on ns1.cisco.com on 9/14/2014 at 10:21:10 AM (UTC -5).


Here we have the option to test Blacklist test and SMTP test.

Click on the Blacklist check to find out the Blacklist information about particular hostname. Here you have also option to monitor your hostname for blacklisting.


To find out the SMTP information of particular hostname, click on the SMTP test .


SenderBase – The world’s largest Email and Web traffic monitoring network.

Open http://www.senderbase.org/ and enter domain name or IP-address or Hostname to find out information about Email reputation.


It will show you Email reputation, Web reputation, Email volume, network owner and Location details.


Inbound Email flow of Organizations :-

You can easily understand the inbound email flow of organizations with my below image. 🙂



If you don’t have IronPort device, nothing to worry about it. You can practices at http://www.ironportstore.com/demo/ .



On ironport Dashboard, you all able to view System Overview , Incoming mail graph, incoming mail summary ,Outgoing mail graph , outgoing mail summary ,

Counting Messages in Email Security Monitor :-

The method Email Security Monitor uses to count incoming mail depends on the number of recipients  per message. For example, an incoming message from example.com sent to three recipients would count  as three messages coming from that sender.

Because messages blocked by reputation filtering do not actually enter the work queue, the appliance does not have access to the list of recipients for an incoming message.

Using the Internal Users report, you can answer these kinds of questions:-

  • Who is sending the most external email?
  • Who receives the most clean email?
  • Who receives the most spam?
  • Who is triggering which content filters?
  • Whose email is getting caught by content filters

Searching for a Specific Internal User :-

You can search for a specific internal user (email address) via the search format the bottom of the Internal Users page and the Internal User detail page. Choose whether to exactly match the search text or look for items starting with the entered text (for instance, starts with “ex” will match “example.com”).


The Outbreak Filters Page :-

The Outbreak Filters page shows the current status and configuration of Outbreak Filters on your Cisco  IronPort appliance as well as information about recent outbreaks and messages quarantined due to  Outbreak Filters. You can use this page to monitor your defense against targeted virus, scam, and  phishing attacks.

The Threats By Type section shows the different types of threat messages received by the appliance. The Threat Summary section shows a breakdown ofthe messages by Virus, Phish, and Scam.


Using the Outbreak Filters page, you can answer questions like:-

  • How many messages are being quarantined and what type of threats were they?
  • How much lead time has the Outbreak Filter feature been providing for virus outbreaks?
  • How do my local virus outbreaks compare to the global outbreaks?


Virus Types Page

The Virus Types page provides an overview of the viruses entering and being sent from your network.

The Virus Types page displays the viruses that have been detected by the virus scanning engines running on your Cisco IronPort appliance.


In my future articles, i will write article on

How to allow Quarantine email from the iron port?

How to allow particular domain in Whitelist domain?

How to view the Email Workqueue and Tophost in the IronPort ?

Hope you like my post.Getting Started with Cisco IronPort Email Security Gateway. Please Share with others.


Previous articleHow To Troubleshoot SIC-related Issues in Checkpoint GAIA
Next articleSkip TCP state tracking and sequence checking when traffic flows across the ASA and GAIA