AsyncOS 14.2

📘

Release Notes

Please read and review the entire Release Notes:

Gateway (HW/On-prem): Release Notes for AsyncOS 14.2.1 for Cisco Secure Email Gateway

Cloud Gateway: Release Notes for AsyncOS 14.2 for Cisco Cloud/Hybrid Secure Email

What's New In This Release

Sender Maturity

In this release, the legacy Sender Domain Reputation (SDR) Domain Age functionality is replaced with Sender Maturity. Sender Maturity is an important feature to establish sender reputation. Sender Maturity is automatically generated for spam classification based on multiple sources
of information and can differ from the “Whois-based domain age.”

Sender Maturity represents the Cisco Talos view of how mature a domain is as an email sender. The maturity value is tuned to enable threat detection regarding emails and generally does not reflect the domain age represented in the “Whois-based domain age.”

Sender Maturity is set to a limit of 30 days, and beyond this limit, a domain is considered mature as an email sender, and no further details are provided.

Note: From this release onwards, the 'SDR Domain Age' configured filters are automatically updated to the 'SDR Sender Maturity' filters. The filters with an invalid value for Sender Maturity are marked as 'inactive' after the upgrade. Make sure you review and modify the message and content filters accordingly.

Sender Maturity is used to calculate the sender reputation. Immature domains are assigned a lower reputation. Cisco Talos recommends you rely on sender reputation only for determining policy actions. Sender Maturity is exposed to fine-tune filters for specific, non-standard scenarios.

Note: Cisco Talos does not manually adjust maturity for domains but relies on automated systems and sensors to determine the most appropriate value.

For more information, see the “Sender Domain Reputation Filtering” chapter in the user guide.

Sender Domain Reputation Filtering Improvements

In this release, the user experience and overall quality of the Sender Domain Reputation (SDR) service are enhanced with performance improvements, increased availability, and deployment of SDR.

New Sender Domain Reputation Verdicts

📘

Cisco Talos Sender Domain Reputation (SDR)

Note: This requires CCO ID and Password, the white paper is hosted from the Cisco Community support forums (Cisco Community > Cisco Insider User Group > Security Track > Security Knowledge Base > Cisco Talos Sender Domain Reputation (SDR))

The attached white paper provides an overview of Cisco Talos SDR.

The 'SDR Whitepaper AsyncOS14.2' version published on June 2nd, 2022 is specific to release AsyncOS 14.2 and later (verdict updates & maximum value for Domain Maturity).

From this release onwards, the Sender Domain Reputation (SDR) verdicts are updated to accurately reflect the intended meaning and recommended usage.

During the upgrade, the system automatically updates the Sender Domain Reputation message or content filter configurations to reflect the new verdicts. Make sure you review and configure the message or content filters accordingly.

The following table lists the legacy SDR verdicts mapped to the new SDR verdicts:

Legacy SDR VerdictsNew SDR Verdicts
AwfulUntrusted
PoorQuestionable
TaintedNeutral
WeakNeutral
NeutralFavorable
GoodTrusted
UnknownUnknown

Note: The SDR Reporting and Tracking AsyncOS APIs are updated to reflect the new SDR Threat Levels and Category structure.

Note: The SDR Mail and Tracking Logs are updated to reflect the new SDR Threat Levels and Sender Maturity details.

For more information, see the:

  • “Sender Domain Reputation Filtering” chapter in the user guide.
  • “Sender Domain Reputation Filtering” section in the “The Commands: Reference Examples” chapter of the CLI reference guide.

Enhancements on Grouping Appliances for File Analysis Reporting

The email gateway now uses the Smart Account ID to group appliances in your organization and to view the file analysis result of all appliances.

When Smart Licensing is enabled on your email gateway, and you configure the appliance group for file analysis reporting, the system automatically registers Smart Account ID as the Appliance Group ID. You can change the Appliance Group ID at any time, and the change takes effect immediately without a Commit action.

For more information, see the:

  • “(Public Cloud File Analysis Services Only) Configuring Appliance Groups” section in the “File Reputation Filtering and File Analysis” chapter of the user guide.
  • “(Public Cloud File Analysis Services Only) Configuring Appliance Groups” section in the “The Commands: Reference Examples” chapter of the CLI reference guide.

Smart Software Licensing Enhancements

Following are the enhancements made to the Smart Software Licensing feature:
License Reservation: You can reserve licenses for features enabled in your email gateway without connecting to the Cisco Smart Software Manager (CSSM) portal. This is mainly beneficial for covered users that deploy the email gateway in a highly secured network environment with no communication to the Internet or
external devices.
Device Led Conversion: After you register your email gateway with smart licensing, all existing, valid classical licenses are automatically converted to smart licenses using the Device Led Conversion (DLC) process. These converted licenses are updated in the virtual account of the CSSM portal.

For more information, see the:

  • “Overview and Reserving Feature Licenses" sections in the “File System Administration” chapter of the user guide.
  • "Smart Software Licensing” section in the “The Commands: Reference Examples” chapter of the CLI reference guide.

TLS Certificate Enhancement for Destination Control

You can now choose a different certificate other than the certificate configured in the ‘Default' destination control entry for specific domains.

You can choose a different certificate in any one of the following ways:

  • Edit the corresponding destination control entry and select a different certificate using the TLS certificate option in the web interface.
  • Use the destconfig > new or edit subcommands in the CLI to select a certificate when you create or edit a destination control entry.

For more information, see the “Controlling TLS” section in the “Configuring Routing and Delivery Features” chapter of the user guide.

Modification of Classic Licensing - Expiration Date in Web Interface and CLI

From this release onwards, the existing ‘Expiration Date’ column header in the web interface and CLI for classic licensing is modified as follows – “Expiration Date (including the grace period)” to indicate that the grace period is included in the expiration date.

Note: All alert messages and mail logs are modified to display the expiration date, including the grace period for a feature key.

Detecting Smart Identifier with or without Prefix

The email gateway now detects a smart identifier with or without the keyword ('credit,' 'ssn,' 'cusip,' or 'aba') added as a prefix in the message content.

You can configure the content filter condition or message filter rule to detect the smart identifier with or without the keyword added as a prefix in the following ways:

  • Use the Contains smart identifier prefix option in the content filter condition for Message Body, Message Body or Attachment, and Attachment Content. For more information, see the 'Content Filter Condition' section in the 'Content Filter' chapter of the user guide.
  • Use the prefix syntax in the message filter rule. For more information, see the 'Smart Identifier Syntax' section in the 'Using Message Filters to Enforce Email Policies' chapter of the user guide.

Caching for Syslog Push Log Subscriptions

You can now configure a local disk buffer for a Syslog push log subscription to allow the email gateway to cache log events when the remote Syslog server is unavailable. When the Syslog server becomes available, the email gateway sends all the data in the buffer for that log subscription to the Syslog server.

You can configure the disk buffer parameters in the following ways:

  • System Administration > Log Subscription page in web interface. For more information, see the 'Log Retrieval Methods' section in the 'Logging' chapter of the user guide.
  • logconfig command in CLI. For more information, see the 'Logging and Alerts' section in the 'The Commands: Reference Examples' chapter of the CLI Reference Guide.

New File Types - .SFP and .RE Support for File Reputation Scanning

From this release onwards, the File Reputation service can scan message attachments of file types, .SFP and .RE and return verdicts to the email gateway.

Configuring Maximum Number of Content Dictionaries in Email Gateway

You can now configure a maximum number of 150 content dictionaries in your email gateway.

Note: By default, you can configure a maximum of 100 content dictionaries in your email gateway.

Use the dictionaryconfig > dictionarylimits subcommand in the CLI to modify the default limits.

Note: When you use content dictionaries extensively with ‘Message Body or Attachments’ content filter condition or ‘Body Scanning’ or ‘Attachment Scanning’ message filter rules, it may degrade system performance.

For more information see the ’Policy Enforcement’ section in ‘The Commands: Reference Examples’ chapter of the CLI reference guide associated with this release.