Guides
CommunitySupportContact Sales

Configuring AsyncOS Message Filter to Add Sender IP Header for Email Threat Defense

Suggest Edits

AsyncOS + Email Threat Defense

Cisco Secure Email Threat Defense looks to message headers added by the mail platform (Office 365) to identify the sender IP for each message. For customers that also have a secure email gateway (SEG), such as Cisco Secure Email Gateway (ESA) or Cloud Gateway (CES), the mail platform will naturally identify the customer's SEG as the sender IP and source of all inbound messages.

To ensure Email Threat Defense (ETD) is able to identify the correct sender IP upstream from the SEG, ETD can be configured to look for a custom message header that is inserted by the SEG to correctly identify the sender IP on inbound messages. If this header is not already being inserted into messages by the SEG, it will need to be configured to insert the custom message header into all inbound messages along with the sender IP value.

The Gold Config + Best Practice for AsyncOS includes a message filter that inserts a custom message header called X-IronPort-RemoteIP, using the $RemoteIP variable to set the header value to the IP address of the system that sent the message to the email gateway.

addHeaders: if sendergroup != "RELAYLIST" {
                insert-header("X-IronPort-RemoteIP", "$RemoteIP");
                insert-header("X-IronPort-MID", "$MID");
                insert-header("X-IronPort-Reputation", "$Reputation");
                insert-header("X-IronPort-Listener", "$RecvListener");
                insert-header("X-IronPort-SenderGroup", "$Group");
                insert-header("X-IronPort-MailFlowPolicy", "$Policy");
            }

For Cloud Gateway (CES) customers, this addHeaders message filter is included by default with the initial provisioning. This can be confirmed by connecting to the CLI for CES, then using the commands filters, list, and finally detail to inspect the full message filter.

For on-premises Gateway (ESA) customers, the message filter is not a default configuration and will need to be added using CLI unless it was previously added. See Gold Config + Best Practice for AsyncOS: CLI Level Changes under the subheading Header Stamping Filter.

Third-party SEGs

For ETD customers with a third-party SEG, the SEG will need to insert a custom header on all inbound messages, containing only the sender IP as its value. ETD can utilize a preexisting third-party header or the SEG may be configured to insert a new custom header. In either case, the name of this third-party/custom header will need to be identified to ETD by adding its header name to the "Use Custom SEG header" configuration on the ETD Policy page in the "Secure Email Gateway (SEG)" panel.

Common third-party sender IP headers are listed below for convenience. However, the presence of these headers should be confirmed in each customer deployment and as needed by customer consultation with the third-party vendor if additional SEG configuration is required.

Third-party SEGCommon Third-party Sender IP Header
ProofpointX-Sending-IP
BarracudaX-BESS-Apparent-Source-IP

Updated 12 months ago


© 2024 Cisco Systems, Inc. Cisco, Cisco Systems and Cisco Systems logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S and certain other countries.