Cisco Secure Email Cloud Gateway

Cloud Email Security (CES) is monitored by the Cisco Operations team and provides proactive monitoring of alarms generated by CES instances.


Status of the CES environment can be seen here:
Status of Email Services (Signature Updates, etc):

How will I be notified of an issue?

When a customer is on-boarded the technical contact that is provided will be sent notifications of maintenance windows and issues.

❗ Monitoring and alerts do not apply to Beta Appliances in a customer Cloud Gateway instance as these are considered to be non-production allocations.

How do I add email addresses for notifications?

To have new or additional contacts added to the customer notification list, please reach out to Cisco TAC and request an addition to the CES notification list.

Responsibility Matrices


Monitor Datacenter connectivity and issue alerts of the potential impactx
Monitor ESA and SMA instances for availabilityx
Monitor supporting systems availability (billing, licensing, and provisioning systems)x
Monitor underlying virtual infrastructurex
Monitor storage availability and performancex


Notify of changes to the user counts of the servicex
Monitor and address issues with the workqueuesx
Monitor downstream mailbox services (Exchange, O365)x
Add additional capacity to existing servicex*
Monitor delivery times of messages (as per SLA)x



If a customer environment changes (additional user counts, higher volume expected) a ticket can be opened to request a capacity review to add capacity. Capacity is measured on a 30 day volume average.


Configuration of Policies for Inbound and Outbound Mailx
Upgrade of the vESA and the vSMAx
Backup of Configuration datax
Provide 24x7 break-fix Technical Support via TACx
Create and maintain secure passwords for the applicationsx
Monitor and action SLA level alarmsx


Monitor internal user activity for potential compromisex
Ensure configuration is set to effectively block threats using engines availablex
Perform penetration and vulnerability tests on the servicex
Assess and action on PSIRT notificationsx
Monitor and control access to the management environmentx

What ports are monitored by CES Operations?

  • SMTP (25)
  • HTTP (443)
  • SSH (22)
  • SMA: 6025, 7025

What thresholds do the alarms get triggered on?

Active Recipients3000600010000
Connections In300300300
CPU utilization95%95%95%
Hard Bounced Recipients200030005000
Kb Free1,000,0001,000,0001,000,000
Msgs in Work Queue120025005000
Oldest Message432000s432000s432000s
RAM Utilization606060
Soft Bounced Events200030005000
Total Utilization90%90%90%

All rates are shown as the average rate at an event that occurs per hour at the specific point in time the query is made. Rates are calculated for three intervals, the average rate per hour over the past one (1) minute, the past five (5) minutes, and the past fifteen (15) minutes.

For example, if the Cisco appliance receives 100 recipients in a single minute, then the rate for the one (1) minute interval will be 6,000 per hour. The rate for the 5-minute interval will be 1,200 per hour, and the 15-minute rate will be 400 per hour. The rates are calculated to indicate what the average rate for the hour would be if the rate for the one-minute period continued. Therefore, 100 messages each minute would yield a higher rate than 100 messages over 15 minutes.

For questions and clarity on monitoring specific to your CES appliance(s), please open a support case with Cisco TAC.