cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1022
Views
0
Helpful
4
Replies

What happens when no content filters have a final action?

Donald Nash
Level 3
Level 3

What happens when none of the content filters enabled for a particular policy have final actions? Is the default final action to deliver the message after applying all the relevant non-final actions? This is how it works for message filters, but I'm still learning the ropes for content filters (they didn't exist when I started using AsyncOS, and I ignored them for a long time). Amazingly enough, the documentation doesn't explicitly explain this situation, at least not that I could find. Maybe I just didn't read the right place.

Thanks,

4 Replies 4

martinc8306
Level 1
Level 1

It does not look like you can define a content filter without applying a final action, when attempting to Submit with no final action you get the error "Error — Please add at least one action"

This seems to be the same trend for a regular expression filter via the CLI

Donald Nash
Level 3
Level 3

It does not look like you can define a content filter without applying a final action

Keep in mind what a final action is: bounce(), deliver(), or drop(). I already have several content filters which lack one of these actions, which results in the message cascading into the next matching filter. What you can't create is a filter which lacks any actions at all.

I think I've answered my own question. Without an explicit bounce(), deliver(), or drop(), the message is processed by all matching filters and then delivered.

Bart_ironport
Level 1
Level 1

I think I've answered my own question. Without an explicit bounce(), deliver(), or drop(), the message is processed by all matching filters and then delivered.

Indeed. Content filters are similar to message filters. They aren't as powerful, but can use information such as the Antispam/Antivirus verdict which isn't available in message filters and they are applied after splintering.

Conditions aren't required in content filters, but you need at least one action. Sometimes it can be useful for reporting to include a condition even if it seems redundant. For example if you want a content filter that strips all executables. You could create the filter without condition or add a condition which checks if there really is an executable attachment.
The end result is the same, but with the extra condition you can see in the content filter report how often an exe was stripped (The content filter report shows how often a content filter was matched - not how often the actions did anything useful).

Donald Nash
Level 3
Level 3

but you need at least one action.

Right. The filter in question had a notify-copy() action and a deliver() action. The deliver() action was keeping subsequent filters from running. There were no subsequent filters when the one in question was originally written, so the deliver() was superfluous but not harmful. I realized it was a problem only when I added another filter. I've removed the deliver() action.

This was basically a case of knowing the answer intellectually (content filters use the same language as message filters, after all), but not having any experience or documentation to back it up.

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: