300-720 Securing Email with Cisco Email Security Appliance (300-720 SESA) Question and Answers

SenderBase Reputation Filtering is a feature that allows Cisco ESA to reject or throttle connections from email servers based on their reputation score, which is calculated by Talos using sensor information from various sources.

SPF verification is a feature that allows Cisco ESA to verify the authenticity of the sender’s domain by checking the sender’s IP address against a DNS record published by the domain owner. An SPF record is a TXT record that specifies the authorized IP addresses or hosts for sending emails from a domain, using a syntax of qualifiers, mechanisms, and modifiers.

The reason why the verification is not working properly is that SPF verification is disabled on the mail flow policy that applies to the messages sent from domain abc.com. A mail flow policy is a set of rules that determine how incoming or outgoing messages are processed by Cisco ESA, including whether to enable SPF verification or not.

To enable SPF verification on the mail flow policy, the administrator can follow these steps:

Select Mail Policies > Mail Flow Policies and click Edit Settings for the mail flow policy that applies to the messages sent from domain abc.com.

Under Sender Authentication, select Enable SPF Verification and choose an SPF conformance level from the drop-down menu.

Click Submit.

The other options are not valid reasons why the verification is not working properly, because they do not affect SPF verification on the mail flow policy.

 The reason why the CEO did not receive an important message expected from a trusted sender after adding them to a safelist is beca use end-user safelists apply to antispam engines only. End-user safelists are lists of sender addresses or domains that end users can create and manage through their quarantine accounts or email clients. End-user safelists allow end users to accept or exem pt messages from certain senders or domains from being identified as spam by the antispam engines. However, end-user safelists do not affect other filtering engines such as antivirus, outbreak filters, or content filters. References =  User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Safelists and Blocklists [Cisco Secure Email Gateway] - Cisco

You can configure Policy, Virus, and Outbreak Quarantines in any one of the following ways:

Choose Quarantine > Other Quarantine > View > +.

Choose Monitor > Policy, Virus, and Outbreak Quarantines and do one of the following.

Click Add Policy Quarantine.

Keep the following in mind, changing the retention time of the File Analysis quarantine from the default of one hour is not recommended.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guid e_14-0/b_ESA_Admin_Guide_12_1_chapter_011111.html?bookSearch=true

spf-status is the section of the filter that must be modified to correct this behavior. spf-status is a condition that determines whether a message matches the content filter rule based on the result of SPF verification, such as pass, fail, neutral, etc.

The content filter in the exhibit has a spf-status condition set to “Pass”, which means that it will match messages that passed SPF verification and apply the action of “Quarantine”. This is the opposite of what the network engineer intended to do.

To correct this behavior, the network engineer can modify the spf-status condition to “Fail”, which means that it will match messages that failed SPF verification and apply the action of “Quarantine”.

The other options are not valid sections of the filter that must be modified to correct this behavior, because they do not affect the spf-status condition.

To use the centralized spam quarantine on the Cisco Secure Email and Web Manager appliance, the administrator must disable the local spam quarantine on the Cisco Secure Email Gateway appliances. This w ill prevent messages from being stored in both quarantines and avoid confusion for end users and administrators.  References : [Cisco Secure Email and Web Manager User Guide - Configuring Centralized Spam Quarantine]

DLP (Data Loss Prevention) is a security service that is configured only through an outgoing mail policy on Cisco ESA. DLP allows Cisco ESA to scan outgoing messages for sensitive or confidential data, such as credit card numbers, social security numbers, health records, etc., and apply appropriate actions, such as encrypt, quarantine, notify, etc., to prevent data leakage or loss.

A policy quarantine is a type of quarantine that allows Cisco ESA to store messages that match certain criteria, such as virus, spam, or DLP verdicts, for further review or release by an administrator or an end user.

A scenario that prevents a message from being sent to the quarantine as an action in the scan behavior on Cisco ESA is when a policy quarantine is missing, which means that no policy quarantine has been created or enabled on Cisco ESA.

The other options do not prevent a message from being sent to the quarantine as an action in the scan behavior on Cisco ESA.

The envelope sender and the envelope recipeint have a higher priority over the sender header when you match a message to a mail policy. If you configure a mail policy to match a specific user, the messages are automatically classified into the mail policy based on the envelo pe sender and the envelope recipient. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11- 1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01001.html

According to the  Cisco Secure Email Threat Defense User Guide , the No Authentication option is only available if you are using a Cisco Secure Email Gateway (SEG) as your message source.  This option allows visibility only, no remediation 1 .

The other options are not valid because:

A. Basic Authentication is not a visibility and remediation mode for Cisco Secure Email Threat Defense.  It is a method of authenticating users with a username and password 2 .

C. Microsoft 365 Authen tication is a visibility and remediation mode that allows you to use Microsoft 365 credentials to access Cisco Secure Email Threat Defense. It has two sub-options: Read/Write and Read.  This mode is available for both Microsoft 365 and Gateway message sources 1 .

D. Cisco Security Cloud Sign On is not a visibility and remediation mode for Cisco Secure Email Threat Defense.  It is a service that manages user authentication for Cisco security products, including Cisco Secure Email Threat Defense 3 .

Outbreak filters and antivirus are two features that can be applied to either incoming or outgoing mail policies on Cisco ESA. Outbreak filters allow Cisco ESA to detect and block messages that contain new or emerging email threats, such as viruses, worms, phishing, or spam, by using real-time updates from Talos intelligence. Antivirus allows Cisco ESA to scan messages for known viruses and malware using one or two antivirus engines (Sophos and McAfee).

With DomainKeys or DKIM email authentication, the sender signs the email using public key cryptography. Configuring DomainKeys and DKIM Signing A signing key i s the private key stored on the appliance. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010101.html?bookSearch=true

Content filters are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

The two primary components of content filters are:

Conditions, which are the criteria that determine whether a message matches a content filter rule or not, such as message size, sender address, attachment type, etc.

Actions, which are the operations that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as deliver, drop, quarantine, encrypt, etc.

The other options are not primary components of content filters on Cisco ESA.

SMTP AUTH is a valid fallback action when a client certificate is unavailable during SMTP authentication on Cisco ESA. SMTP AUTH is a method of authenticating SMTP clients using username and password credentials, which can be verified by an LDAP server or a local database on Cisco ESA.

To perform DLP scanning on Cisco ESA, two components must be configured:

Add a DLP policy to the DLP Policy Manager, which is a repository of predefined or custom DLP policies that specify what types of data to scan for and what actions to take if a match is found.

Enable a DLP policy on the Outgoing Mail Policy, which is a set of rules that determine how outgoing messages are processed by Cisco ESA, including whether to apply DLP scanning or not.

The SPF record for mycompany.com is shown in the exhibit as:

v=spf1 a mx ip4:199.209.31.21 -all

This means that the domain mycompany.com authorizes the following sources to send email on its behalf:

The A record of mycompany.com, which resolves to 199.209.31.21

The MX record of mycompany.com, which points to mail.mycompany.com, which also resolves to 199.209.31.21

The IP address 199.209.31.21

The -all qualifier means that any other source is not authorized and should be rejected.

Therefore, the correct answer is C.

Message splintering is a process that occurs when configuring separate incoming mail policies on Cisco ESA. Message splintering means that Cisco ESA will split a single incoming message into multiple copies, each with a different recipient and policy, and apply different security services and actions to each copy.

Enabling End-User Quarantine Access and pointing to an LDAP server for authentication is the action that must be taken to meet this requirement. End-User Quarantine Access is a feature that allows users to access their personal quarantine on Cisco ESA using their email address and password, without requiring an administrator account or access to Secure Email and Web Manager.

To enable End-User Quarantine Access on Cisco ESA, the administrator can follow these steps:

Select Security Services > IronPort Anti-Spam > End User Safelist/Blocklist Settings and click Edit Settings.

Under End User Quarantine Access, select Enable End User Quarantine Access.

Under Authentication Server, select LDAP Server from the drop-down menu and choose an LDAP server profile from the drop-down menu.

Click Submit.

By modifying the mail policies, specifically the recipient matching criteria, you can ensure that email recipients do not match multiple policies simultaneously. When recipients in the email message belong to different domains (e.g., cisco.com and test.com), it can result in multiple policies being triggered simultaneously, leading to inconsistent delivery of emails with attachments.

DLP is for outgoing mail only and not relevant to incoming mail.

Relay is the connection behavior that must be selected to properly process the messages. Relay allows Cisco ESA to accept messages from the specified source and deliver them to the intended destination, without applying any content or reputation filters.

To configure a mail flow policy with relay connection behavior on Cisco ESA, the administrator can follow these steps:

Select Mail Policies > Mail Flow Policies and click Add Policy.

Enter a name and description for the mail flow policy, such as Exchange Outbound.

Under Connection Behavior, select Relay.

Click Submit.

The other options are not valid connection behaviors to properly process the messages, because they either reject, delay, or accept the messages with content or reputation filters applied.

Serial connection is a method that should be used to determine the configuration issue when there is a loss of connectivity to the neighboring switch. Serial connection allows the engineer to access the Cisco ESA console port using a serial cable and a terminal emulator, such as PuTTY or HyperTerminal, without relying on the network connectivity.

The other options are not valid methods to determine the configuration issue when there is a loss of connectivity to the neighboring switch, because they require network connectivity to work.

Outgoing Mail Policy is a mail policy that should be created to accomplish this task. Outgoing Mail Policy is a set of rules that determine how outgoing messages are processed by Cisco ESA, including whether to apply DLP scanning or not.

To create an Outgoing Mail Policy named ‘Sales’ and assign a DLP policy to it, the administrator can follow these steps:

Select Mail Policies > Outgoing Mail Policies and click Add Policy.

Enter ‘Sales’ as the policy name and click Submit.

Select ‘Sales’ from the list of policies and click Edit Settings.

Under Data Loss Prevention, select Enable Data Loss Prevention Scanning and choose the DLP policy from the drop-down menu.

Click Submit.

The other options are not valid mail policies to accomplish this task, because they do not apply to outgoing messages or DLP scanning.

Spam threshold is a setting that determines the minimum score that a message must have to be classified as spam by Cisco ESA. The lower the threshold, the more aggressive the spam detection is.

The safelist is a list of email addresses or domains that are considered legitimate and trustworthy by Cisco ESA. When an email is received from a sender on the safelist, Cisco ESA skips antispam scanning for that message and delivers it to the recipient without any spam filtering.

According to the [Cisco Secure Email User Guide], you can create a text resource of type Dis claimer Template and use the code view option to insert HTML code into the text box. Then, you can use this text resource in a content filter to prepend or append the HTML message to the email body[ 1 , p. 15-16].

The other options are not valid because:

A. Creating a text resource type of Disclaimer Template and pasting the HTML code into the text box without changing to code view will not work, as the HTML code will be treated as plain text and not rendered properly[ 1 , p. 15].

C. Creating a text resource ty pe of Notification Template and pasting the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[ 1 , p. 17].

D. Creating a text resource type of No tification Template and changing to code view to paste the HTML code into the text box will not work, as Notification Templates are used for sending notifications to senders or recipients, not for modifying the email body[ 1 , p. 17].

 in the spam quarantine section, you can configure settings for access to the spam quarantine, and by default, HTTP uses port 82 and HTTPS uses port 83.

A benefit of implementing URL filtering on the ESA is that it provides URL reputation protection. URL filtering uses SenderBase, a web-based service that collects information about URLs and domains from various sources, to assign a reputation score and a cate gory to each URL. Based on these attributes, you can configure content or message filters to take actions on messages containing malicious or undesirable URLs.

The type of attack that is prevented by configuring file reputation filtering and file analysis features is zero-day. Zero-day attacks are those that exploit unknown vulnerabilities in software or systems before they are patched or fixed. File reputation filtering and file analysis features help to protect against zero-day attacks by checking the reputation of files attached to email messages and sending them to a cloud-based service for dynamic analysis.

Message-filter order and MIME structure of the message are two factors that must be considered when message filter processing is configured on Cisco ESA. Message-filter order determines the sequence in which message filters are evaluated and applied to incoming messages, which can affect the final outcome of the filtering process. MIME structure of the message determines how message filters match against different parts of the message, such as headers, body, attachments, etc., which can affect the accuracy and performance of the filtering process.

Spam Quarantine End-User Authentication Query is a query that Cisco ESA performs against an LDAP server to validate the end-user credentials during login to the End-User Quarantine.

System: This is the default list of trusted certificate authorities that is provided by Cisco and updated automatically. It contains the certificates of well-known and widely used certificate authorities, such as VeriSign, Thawte, and GoDaddy.

Custom: This is the list of additional certificate authorities that you can add manually or import from a file. It allows you to trust certificates that are issued by your own or third-party certificate authorities that are not included in the system list.

When CRES (Cisco Registered Envelope Service) is unavailable, Cisco ESA will requeue the message and attempt to resend it later, until the maximum number of retries or the maximum age of the message is reached. The message will not be sent in clear text, dropped, or encrypted by another appliance.

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.

The other options are not valid because:

A. A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.

B. An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.

D. A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

Virtual gateways are a feature that allows Cisco ESA to host multiple email domains on a single physical interface, using different IP addresses and hostnames for each domain.

When virtual gateways are configured, two distinct attributes are allocated to each virtual gateway address:

Domain, which is the email domain name that is associated with the virtual gateway address, such as mycompany.com or mydomain.com.

IP address, which is the IPv4 or IPv6 address that is assigned to the virtual gateway address, such as 199.209.31.X or 2001:db8::X.

The other options are not attributes that are allocated to each virtual gateway address on Cisco ESA.

With DomainKeys or DKIM email authentication, the sender signs the email using public key cryptography. Configuring DomainKeys and DKIM Signing A signing key is the private key stored on the appliance. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010101.html?bookSearch=true

User and routing are two query types that are available when an LDAP profile is configured on Cisco ESA. User queries are used to validate end-user credentials, such as for Spam Quarantine End-User Authentication or SMTP Authentication. Routing queries are used to determine the destination mail server for a recipient, such as for Mail Flow Policies or Delivery Methods.